Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524646
MD5:45c675b6790e21eacdb1f3478fcadfda
SHA1:1e5955dd76b7b92c39114d6a45a99cf245ea1450
SHA256:a82303f0e40f9287c668597cc0250f6b1cfdab506282608510bdd49ec49f400c
Tags:exeuser-Bitsight
Infos:

Detection

Credential Flusher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Credential Flusher
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5008 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 45C675B6790E21EACDB1F3478FCADFDA)
    • taskkill.exe (PID: 5024 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 6420 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 5728 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 5768 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 1788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7092 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chrome.exe (PID: 3944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 6332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 7956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 7964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: file.exe PID: 5008JoeSecurity_CredentialFlusherYara detected Credential FlusherJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49754 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49759 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EBDBBE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C2A2 FindFirstFileExW,0_2_00E8C2A2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC68EE FindFirstFileW,FindClose,0_2_00EC68EE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00EC698F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EBD076
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EBD3A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC9642
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC979D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00EC9B2B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00EC5C97
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
    Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49754 version: TLS 1.0
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00ECCE44
    Source: global trafficHTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: YSC=LR4Ww4U4cC4
    Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
    Source: global trafficHTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=883938020&timestamp=1727917271313 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=1cJKq88DL4p6Lmr75sYj4DThWgBiWr5XjSVNG4BAv0w88GuNsy_vZ9J2opdRiOU82m-MtqEDJkK9qwoeWc0Q65w9peAhELyn_BPAroAFqM0qxQ208yJC8bsTwGYIipKLXvU4OPkmoKbBcsxL1zt7i0evR_Wn1qtt163J5Mmc5K8ZWkMGJEI
    Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ewFdoPw4kVxTdlA&MD=16USvz9R HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ewFdoPw4kVxTdlA&MD=16USvz9R HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: chromecache_93.14.drString found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: global trafficDNS traffic detected: DNS query: accounts.youtube.com
    Source: global trafficDNS traffic detected: DNS query: play.google.com
    Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: chromecache_93.14.drString found in binary or memory: https://accounts.google.com
    Source: chromecache_93.14.drString found in binary or memory: https://accounts.google.com/TOS?loc=
    Source: chromecache_99.14.drString found in binary or memory: https://apis.google.com/js/api.js
    Source: chromecache_93.14.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
    Source: chromecache_93.14.drString found in binary or memory: https://families.google.com/intl/
    Source: chromecache_99.14.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
    Source: chromecache_99.14.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
    Source: chromecache_99.14.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
    Source: chromecache_93.14.drString found in binary or memory: https://g.co/recover
    Source: chromecache_93.14.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: chromecache_93.14.drString found in binary or memory: https://play.google.com/work/enroll?identifier=
    Source: chromecache_93.14.drString found in binary or memory: https://play.google/intl/
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/privacy
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/privacy/additional
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/privacy/google-partners
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/technologies/cookies
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/technologies/location-data
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/terms
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/terms/location
    Source: chromecache_93.14.drString found in binary or memory: https://policies.google.com/terms/service-specific
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/animation/
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
    Source: chromecache_99.14.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
    Source: chromecache_93.14.drString found in binary or memory: https://support.google.com/accounts?hl=
    Source: chromecache_93.14.drString found in binary or memory: https://support.google.com/accounts?p=new-si-ui
    Source: chromecache_93.14.drString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
    Source: chromecache_99.14.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
    Source: chromecache_93.14.drString found in binary or memory: https://www.google.com
    Source: chromecache_93.14.drString found in binary or memory: https://www.google.com/intl/
    Source: chromecache_99.14.drString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
    Source: chromecache_99.14.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
    Source: chromecache_99.14.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
    Source: chromecache_99.14.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
    Source: chromecache_99.14.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
    Source: chromecache_99.14.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
    Source: chromecache_93.14.drString found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
    Source: chromecache_93.14.drString found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
    Source: file.exe, 00000000.00000003.2068911496.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2048633354.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069011303.00000000017E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
    Source: file.exe, 00000000.00000002.2069448561.00000000017A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdAUT32.dlli
    Source: chromecache_93.14.drString found in binary or memory: https://youtube.com/t/terms?gl=
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49759 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00ECEAFF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00ECED6A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00ECEAFF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00EBAA57
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00EE9576

    System Summary

    barindex
    Binary is likely a compiled AutoIt script file
    Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: file.exe, 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_45dedde3-2
    Source: file.exe, 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a7d7b370-a
    Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7dd34b73-c
    Source: file.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_66e4efd4-2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00EBD5EB
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00EB1201
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00EBE8F6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E580600_2_00E58060
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC20460_2_00EC2046
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB82980_2_00EB8298
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8E4FF0_2_00E8E4FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8676B0_2_00E8676B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE48730_2_00EE4873
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5CAF00_2_00E5CAF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7CAA00_2_00E7CAA0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6CC390_2_00E6CC39
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E86DD90_2_00E86DD9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6D0730_2_00E6D073
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E591C00_2_00E591C0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6B1190_2_00E6B119
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E713940_2_00E71394
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E717060_2_00E71706
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7781B0_2_00E7781B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E719B00_2_00E719B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6997D0_2_00E6997D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E579200_2_00E57920
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E77A4A0_2_00E77A4A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E77CA70_2_00E77CA7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E71C770_2_00E71C77
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E89EEE0_2_00E89EEE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDBE440_2_00EDBE44
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E71F320_2_00E71F32
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E59CB3 appears 31 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E6F9F2 appears 40 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E70A30 appears 46 times
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal64.troj.evad.winEXE@46/36@12/8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC37B5 GetLastError,FormatMessageW,0_2_00EC37B5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB10BF AdjustTokenPrivileges,CloseHandle,0_2_00EB10BF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00EB16C3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00EC51CD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00EDA67C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00EC648E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E542A2
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobarsJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: Google Drive.lnk.12.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
    Source: YouTube.lnk.12.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
    Source: Sheets.lnk.12.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
    Source: Gmail.lnk.12.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
    Source: Slides.lnk.12.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
    Source: Docs.lnk.12.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E542DE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E70A76 push ecx; ret 0_2_00E70A89
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E6F98E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00EE1C41
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95725
    Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.5 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EBDBBE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C2A2 FindFirstFileExW,0_2_00E8C2A2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC68EE FindFirstFileW,FindClose,0_2_00EC68EE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00EC698F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EBD076
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EBD3A9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC9642
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC979D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00EC9B2B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00EC5C97
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E542DE
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECEAA2 BlockInput,0_2_00ECEAA2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E82622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E542DE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E74CE8 mov eax, dword ptr fs:[00000030h]0_2_00E74CE8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00EB0B62
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E82622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E82622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E7083F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E709D5 SetUnhandledExceptionFilter,0_2_00E709D5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E70C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E70C21
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00EB1201
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E92BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E92BA5
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBB226 SendInput,keybd_event,0_2_00EBB226
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00ED22DA
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00EB0B62
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00EB1663
    Source: file.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: file.exeBinary or memory string: Shell_TrayWnd
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E70698 cpuid 0_2_00E70698
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00EC8195
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAD27A GetUserNameW,0_2_00EAD27A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00E8B952
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E542DE

    Stealing of Sensitive Information

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5008, type: MEMORYSTR
    Source: file.exeBinary or memory string: WIN_81
    Source: file.exeBinary or memory string: WIN_XP
    Source: file.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: file.exeBinary or memory string: WIN_XPe
    Source: file.exeBinary or memory string: WIN_VISTA
    Source: file.exeBinary or memory string: WIN_7
    Source: file.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5008, type: MEMORYSTR
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00ED1204
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00ED1806

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure2
    Valid Accounts    		1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		2
    Disable or Modify Tools    		21
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		2
    Valid Accounts    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    Registry Run Keys / Startup Folder    		2
    Valid Accounts    		2
    Obfuscated Files or Information    		Security Account Manager1
    File and Directory Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
    Access Token Manipulation    		1
    DLL Side-Loading    		NTDS16
    System Information Discovery    		Distributed Component Object ModelInput Capture4
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
    Process Injection    		1
    Masquerading    		LSA Secrets12
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
    Registry Run Keys / Startup Folder    		2
    Valid Accounts    		Cached Domain Credentials1
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Virtualization/Sandbox Evasion    		DCSync3
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
    Access Token Manipulation    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
    Process Injection    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524646 Sample: file.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 64 46 Yara detected Credential Flusher 2->46 48 Binary is likely a compiled AutoIt script file 2->48 50 Machine Learning detection for sample 2->50 52 AI detected suspicious sample 2->52 7 file.exe 2->7         started        process3 signatures4 54 Binary is likely a compiled AutoIt script file 7->54 56 Found API chain indicative of sandbox detection 7->56 10 chrome.exe 9 7->10         started        13 taskkill.exe 1 7->13         started        15 taskkill.exe 1 7->15         started        17 3 other processes 7->17 process5 dnsIp6 42 192.168.2.5, 443, 49703, 49704 unknown unknown 10->42 44 239.255.255.250 unknown Reserved 10->44 19 chrome.exe 10->19         started        22 chrome.exe 10->22         started        24 chrome.exe 6 10->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        process7 dnsIp8 36 youtube-ui.l.google.com 142.250.185.238, 443, 49710 GOOGLEUS United States 19->36 38 142.250.186.142, 443, 49764, 49765 GOOGLEUS United States 19->38 40 6 other IPs or domains 19->40

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://play.google/intl/0%URL Reputationsafe
    https://families.google.com/intl/0%URL Reputationsafe
    https://policies.google.com/technologies/location-data0%URL Reputationsafe
    https://apis.google.com/js/api.js0%URL Reputationsafe
    https://policies.google.com/privacy/google-partners0%URL Reputationsafe
    https://policies.google.com/terms/service-specific0%URL Reputationsafe
    https://g.co/recover0%URL Reputationsafe
    https://policies.google.com/privacy/additional0%URL Reputationsafe
    https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=32850720%URL Reputationsafe
    https://policies.google.com/technologies/cookies0%URL Reputationsafe
    https://policies.google.com/terms0%URL Reputationsafe
    https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=0%URL Reputationsafe
    https://support.google.com/accounts?hl=0%URL Reputationsafe
    https://policies.google.com/terms/location0%URL Reputationsafe
    https://policies.google.com/privacy0%URL Reputationsafe
    https://support.google.com/accounts?p=new-si-ui0%URL Reputationsafe
    https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    youtube-ui.l.google.com
    		142.250.185.238
    		truefalse
      		unknown
      www3.l.google.com
      		142.250.186.78
      		truefalse
        		unknown
        play.google.com
        		142.250.186.174
        		truefalse
          		unknown
          www.google.com
          		216.58.206.68
          		truefalse
            		unknown
            youtube.com
            		216.58.212.142
            		truefalse
              		unknown
              accounts.youtube.com
              		unknown
              		unknownfalse
                		unknown
                www.youtube.com
                		unknown
                		unknownfalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://play.google.com/log?format=json&hasfast=true&authuser=0false
                    		unknown
                    https://www.google.com/favicon.icofalse
                      		unknown
                      https://play.google.com/log?hasfast=true&authuser=0&format=jsonfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://play.google/intl/chromecache_93.14.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://families.google.com/intl/chromecache_93.14.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://youtube.com/t/terms?gl=chromecache_93.14.drfalse
                          		unknown
                          https://policies.google.com/technologies/location-datachromecache_93.14.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.google.com/intl/chromecache_93.14.drfalse
                            		unknown
                            https://apis.google.com/js/api.jschromecache_99.14.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://policies.google.com/privacy/google-partnerschromecache_93.14.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://play.google.com/work/enroll?identifier=chromecache_93.14.drfalse
                              		unknown
                              https://policies.google.com/terms/service-specificchromecache_93.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://g.co/recoverchromecache_93.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://policies.google.com/privacy/additionalchromecache_93.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072chromecache_93.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://policies.google.com/technologies/cookieschromecache_93.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://policies.google.com/termschromecache_93.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=chromecache_99.14.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.google.comchromecache_93.14.drfalse
                                		unknown
                                https://play.google.com/log?format=json&hasfast=truechromecache_93.14.drfalse
                                  		unknown
                                  https://www.youtube.com/t/terms?chromeless=1&hl=chromecache_93.14.drfalse
                                    		unknown
                                    https://support.google.com/accounts?hl=chromecache_93.14.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://policies.google.com/terms/locationchromecache_93.14.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://policies.google.com/privacychromecache_93.14.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://support.google.com/accounts?p=new-si-uichromecache_93.14.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessagechromecache_93.14.drfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    142.250.186.78
                                    		www3.l.google.comUnited States
                                    		15169GOOGLEUSfalse
                                    216.58.212.142
                                    		youtube.comUnited States
                                    		15169GOOGLEUSfalse
                                    142.250.186.174
                                    		play.google.comUnited States
                                    		15169GOOGLEUSfalse
                                    142.250.185.238
                                    		youtube-ui.l.google.comUnited States
                                    		15169GOOGLEUSfalse
                                    216.58.206.68
                                    		www.google.comUnited States
                                    		15169GOOGLEUSfalse
                                    239.255.255.250
                                    		unknownReserved
                                    		unknownunknownfalse
                                    142.250.186.142
                                    		unknownUnited States
                                    		15169GOOGLEUSfalse

                                    Private

                                    IP
                                    192.168.2.5

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1524646
                                    Start date and time:2024-10-03 03:00:07 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 0s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal64.troj.evad.winEXE@46/36@12/8
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 96%
                                    • Number of executed functions: 39
                                    • Number of non-executed functions: 314
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 172.217.18.3, 172.217.16.206, 142.251.173.84, 34.104.35.123, 172.217.16.138, 216.58.206.42, 142.250.185.138, 142.250.184.202, 172.217.18.10, 142.250.186.170, 142.250.186.42, 142.250.185.234, 142.250.185.202, 142.250.181.234, 142.250.185.74, 216.58.212.138, 142.250.184.234, 142.250.185.170, 142.250.74.202, 142.250.185.106, 142.250.185.195, 142.250.186.67, 142.250.186.106, 216.58.206.74, 142.250.186.138, 172.217.23.106, 172.217.16.202, 142.250.186.74, 199.232.210.172, 192.229.221.95, 142.250.185.227, 173.194.76.84, 142.250.185.78
                                    • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    239.255.255.250file.exeGet hashmaliciousCredential FlusherBrowse
                                      http://www.sunsetsafaris.com.au//homeGet hashmaliciousUnknownBrowse
                                        http://ryo-blog-for-life.com/Get hashmaliciousUnknownBrowse
                                          https://akbb.kampanyakrediiislemleri.com/Get hashmaliciousUnknownBrowse
                                            http://0f46b0f46b.briandrakebooks.com/Get hashmaliciousUnknownBrowse
                                              https://73214625721684432150.duckdns.org/home.phpGet hashmaliciousUnknownBrowse
                                                http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                    https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3EGet hashmaliciousPhisherBrowse
                                                      https://porn-app.com/download2Get hashmaliciousHTMLPhisherBrowse

                                                        Domains

                                                        No context

                                                        ASNs

                                                        No context

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        1138de370e523e824bbca92d049a3777https://akbb.kampanyakrediiislemleri.com/Get hashmaliciousUnknownBrowse
                                                        • 23.1.237.91
                                                        https://73214625721684432150.duckdns.org/home.phpGet hashmaliciousUnknownBrowse
                                                        • 23.1.237.91
                                                        http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                        • 23.1.237.91
                                                        http://allstatelock.comGet hashmaliciousUnknownBrowse
                                                        • 23.1.237.91
                                                        https://iranmealworm.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVpWSXliVFk9JnVpZD1VU0VSMDUwOTIwMjRVMzkwOTA1MzE=N0123NGet hashmaliciousUnknownBrowse
                                                        • 23.1.237.91
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 23.1.237.91
                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 23.1.237.91
                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 23.1.237.91
                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 23.1.237.91
                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 23.1.237.91
                                                        28a2c9bd18a11de089ef85a160da29e4file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        http://www.sunsetsafaris.com.au//homeGet hashmaliciousUnknownBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        https://akbb.kampanyakrediiislemleri.com/Get hashmaliciousUnknownBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        http://0f46b0f46b.briandrakebooks.com/Get hashmaliciousUnknownBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        https://73214625721684432150.duckdns.org/home.phpGet hashmaliciousUnknownBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3EGet hashmaliciousPhisherBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        https://porn-app.com/download2Get hashmaliciousHTMLPhisherBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50
                                                        https://perweierscotish.online/Get hashmaliciousHtmlDropperBrowse
                                                        • 184.28.90.27
                                                        • 20.12.23.50

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 00:01:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                        Category:dropped
                                                        Size (bytes):2677
                                                        Entropy (8bit):3.9806766636089166
                                                        Encrypted:false
                                                        SSDEEP:48:8XMd1d4T8ksH1idAKZdA19ehwiZUklqehYgy+3:8sQvifgy
                                                        MD5:1BBB5A05CDF8AAF2785D12E84223C76A
                                                        SHA1:E8DA885CE79EB980FE0C00E951F59CDC7C172710
                                                        SHA-256:6D76DF38A66383AE64F2CEBF38D2C50DCD5517B9FFF26A14187ACD780528E762
                                                        SHA-512:9317C8953AED1412E9A44BC7357A00782D082AC955E811B0D3C2A2353CA4F0DEE7B037BAB3A0BE3173629979795AA52485A0C732575767CF4D2FBD10B268120A
                                                        Malicious:false
                                                        Preview:L..................F.@.. ...$+.,.....j./...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY!.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY!.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY!............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY#............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 00:01:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                        Category:dropped
                                                        Size (bytes):2679
                                                        Entropy (8bit):3.9957456173160515
                                                        Encrypted:false
                                                        SSDEEP:48:8Ud4T8ksH1idAKZdA1weh/iZUkAQkqehPgy+2:8bv49Qagy
                                                        MD5:9CE6301FEDE669DFA2C82AD155F81ADA
                                                        SHA1:A86CB9ECE219E13559A9EA01EBD530E12DA667B9
                                                        SHA-256:2E29ED3CB5F448BBFF88D0D089119A0405FDF0D53F583F26E7763FB8A3BDAD4A
                                                        SHA-512:3095E947C1AFEBA8FCD274E881BBE7E150D9FF0F717376FF2B48CEF53D409ED10CCB68F7810A6F6A748AD84A0C043178CDDBEDDA858D220AE050E8F92E8B5135
                                                        Malicious:false
                                                        Preview:L..................F.@.. ...$+.,......./...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY!.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY!.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY!............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY#............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                        Category:dropped
                                                        Size (bytes):2693
                                                        Entropy (8bit):4.00599031199346
                                                        Encrypted:false
                                                        SSDEEP:48:8xtd4T8ksH1idAKZdA14tseh7sFiZUkmgqeh7sxgy+BX:8xYvwnDgy
                                                        MD5:73539276AB21B6176A0DD05067E72A93
                                                        SHA1:A50898D8391923DD901F3344CB0F209C17322DC0
                                                        SHA-256:74FF855595496301C75A57251FD26739409579F2BB594CF0F2ADA1BA4E1B2092
                                                        SHA-512:C393FA2907724875762532059C6A680885CC1B9B317E47E8DDB23A6573EA44B568B90F39104B367CC2658DAEAC7FD0E51747C4C59E80BE98B8F5D12E59A100BF
                                                        Malicious:false
                                                        Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY!.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY!.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY!............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 00:01:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                        Category:dropped
                                                        Size (bytes):2681
                                                        Entropy (8bit):3.9929470643814926
                                                        Encrypted:false
                                                        SSDEEP:48:8td4T8ksH1idAKZdA1vehDiZUkwqehbgy+R:8YvjJgy
                                                        MD5:DE7D5B2EE3C91B681429FFA794A840C8
                                                        SHA1:0B2A48016AAF38E6AA1BC9B64F0DE8EC441902B7
                                                        SHA-256:FC7BAF00859DADD41B07A8BB6BED00FDBBF7E8C6256DF7F12776A0B796104A9A
                                                        SHA-512:CBF0D9F485DF621692003BB2204FE2B48EDB97707A9FFD865C9985EC71AF49AF72C2F77503DE960ECC0A5D9B0102A2874F3602F61896164FC317F4CB45EF008A
                                                        Malicious:false
                                                        Preview:L..................F.@.. ...$+.,....+X../...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY!.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY!.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY!............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY#............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 00:01:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                        Category:dropped
                                                        Size (bytes):2681
                                                        Entropy (8bit):3.9840489230988716
                                                        Encrypted:false
                                                        SSDEEP:48:88d4T8ksH1idAKZdA1hehBiZUk1W1qeh1gy+C:8Tvz9Vgy
                                                        MD5:492AC58206F1CCDFBA33EDC90A3F1EEE
                                                        SHA1:F0EEEAE9D241999A23230DD4B76A0FE60DD9A657
                                                        SHA-256:1B7016F2061C2A2B131196FE94CC7B2A4F593F8C26C4520EE52CB3CED6048E81
                                                        SHA-512:1401A5E69E1D8E80A4A978C016E7ECBC8031639EC437F21E62720F5F04479C172A3F8FF70B8402F5B8C5E8CE8732C119A2371C65AE8EE621886099B869D22A41
                                                        Malicious:false
                                                        Preview:L..................F.@.. ...$+.,....D../...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY!.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY!.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY!............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY#............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 00:01:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                        Category:dropped
                                                        Size (bytes):2683
                                                        Entropy (8bit):3.994293702013421
                                                        Encrypted:false
                                                        SSDEEP:48:8sd4T8ksH1idAKZdA1duT+ehOuTbbiZUk5OjqehOuTbDgy+yT+:8jvjT/TbxWOvTbDgy7T
                                                        MD5:5D0B887D594F09B246C31E31A5A34FA3
                                                        SHA1:33B54C56633185C96AE3D5AB7A27F66AE142B020
                                                        SHA-256:86FFEB9C28F1DADA2B2DA377E3D84FC77A0B82097F53F5874BE49FE0DB43C9FA
                                                        SHA-512:F9D7ACF97B8E14A2484B09A9ACB167E0B80BC3FEC6E4F8A6D4FD1DBF62AEA6470D3DC348311CAC42AF7459D876B19F9567A9B8861EFC72EE03477CE175E15D68
                                                        Malicious:false
                                                        Preview:L..................F.@.. ...$+.,......./...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.ICY!.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VCY!.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VCY!.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VCY!............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VCY#............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                        Chrome Cache Entry: 100

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (570)
                                                        Category:downloaded
                                                        Size (bytes):3467
                                                        Entropy (8bit):5.514745431912774
                                                        Encrypted:false
                                                        SSDEEP:96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
                                                        MD5:8DEF399E8355ABC23E64505281005099
                                                        SHA1:24FF74C3AEFD7696D84FF148465DF4B1B60B1696
                                                        SHA-256:F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
                                                        SHA-512:33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

                                                        Chrome Cache Entry: 101

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:downloaded
                                                        Size (bytes):84
                                                        Entropy (8bit):4.875266466142591
                                                        Encrypted:false
                                                        SSDEEP:3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
                                                        MD5:87B6333E98B7620EA1FF98D1A837A39E
                                                        SHA1:105DE6815B0885357DE1414BFC0D77FCC9E924EF
                                                        SHA-256:DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
                                                        SHA-512:867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
                                                        Malicious:false
                                                        URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
                                                        Preview:Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

                                                        Chrome Cache Entry: 102

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (395)
                                                        Category:downloaded
                                                        Size (bytes):1608
                                                        Entropy (8bit):5.257113147606035
                                                        Encrypted:false
                                                        SSDEEP:48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
                                                        MD5:F06E2DC5CC446B39F878B5F8E4D78418
                                                        SHA1:9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
                                                        SHA-256:118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
                                                        SHA-512:893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

                                                        Chrome Cache Entry: 103

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (522)
                                                        Category:downloaded
                                                        Size (bytes):5050
                                                        Entropy (8bit):5.289052544075544
                                                        Encrypted:false
                                                        SSDEEP:96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
                                                        MD5:26E26FD11772DFF5C7004BEA334289CC
                                                        SHA1:638DAAF541BDE31E95AEE4F8ADA677434D7051DB
                                                        SHA-256:ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
                                                        SHA-512:C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")||"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")||"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

                                                        Chrome Cache Entry: 104

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (1694)
                                                        Category:downloaded
                                                        Size (bytes):32500
                                                        Entropy (8bit):5.378903546681047
                                                        Encrypted:false
                                                        SSDEEP:768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
                                                        MD5:BF4BF9728A7C302FBA5B14F3D0F1878B
                                                        SHA1:2607CA7A93710D629400077FF3602CB207E6F53D
                                                        SHA-256:8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
                                                        SHA-512:AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

                                                        Chrome Cache Entry: 90

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (468)
                                                        Category:downloaded
                                                        Size (bytes):1858
                                                        Entropy (8bit):5.298162049824456
                                                        Encrypted:false
                                                        SSDEEP:48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
                                                        MD5:CE055F881BDAB4EF6C1C8AA4B3890348
                                                        SHA1:2671741A70E9F5B608F690AAEEA4972003747654
                                                        SHA-256:9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
                                                        SHA-512:8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)||function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)||function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)||function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

                                                        Chrome Cache Entry: 91

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (683)
                                                        Category:downloaded
                                                        Size (bytes):3131
                                                        Entropy (8bit):5.355381206612617
                                                        Encrypted:false
                                                        SSDEEP:48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
                                                        MD5:E2A7251AD83A0D0634FEA2703D10ED07
                                                        SHA1:90D72011F31FC40D3DA3748F2817F90A29EB5C01
                                                        SHA-256:1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
                                                        SHA-512:CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d||(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

                                                        Chrome Cache Entry: 92

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                        Category:downloaded
                                                        Size (bytes):5430
                                                        Entropy (8bit):3.6534652184263736
                                                        Encrypted:false
                                                        SSDEEP:48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
                                                        MD5:F3418A443E7D841097C714D69EC4BCB8
                                                        SHA1:49263695F6B0CDD72F45CF1B775E660FDC36C606
                                                        SHA-256:6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
                                                        SHA-512:82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
                                                        Malicious:false
                                                        URL:https://www.google.com/favicon.ico
                                                        Preview:............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

                                                        Chrome Cache Entry: 93

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (5693)
                                                        Category:downloaded
                                                        Size (bytes):698314
                                                        Entropy (8bit):5.595120835898624
                                                        Encrypted:false
                                                        SSDEEP:6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
                                                        MD5:F82438F9EAD5F57493C673008EED9E09
                                                        SHA1:E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
                                                        SHA-256:B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
                                                        SHA-512:89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
                                                        Preview:"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

                                                        Chrome Cache Entry: 94

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (2907)
                                                        Category:downloaded
                                                        Size (bytes):22833
                                                        Entropy (8bit):5.425034548615223
                                                        Encrypted:false
                                                        SSDEEP:384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
                                                        MD5:749B18538FE32BFE0815D75F899F5B21
                                                        SHA1:AF95A019211AF69F752A43CAA54A83C2AFD41D28
                                                        SHA-256:116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
                                                        SHA-512:E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka||a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

                                                        Chrome Cache Entry: 95

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:HTML document, ASCII text, with very long lines (681)
                                                        Category:downloaded
                                                        Size (bytes):4066
                                                        Entropy (8bit):5.363016925556486
                                                        Encrypted:false
                                                        SSDEEP:96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
                                                        MD5:FC5E597D923838E10390DADD12651A81
                                                        SHA1:C9959F8D539DB5DF07B8246EC12539B6A9CC101F
                                                        SHA-256:A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
                                                        SHA-512:784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
                                                        Preview:"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

                                                        Chrome Cache Entry: 96

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
                                                        Category:downloaded
                                                        Size (bytes):52280
                                                        Entropy (8bit):7.995413196679271
                                                        Encrypted:true
                                                        SSDEEP:1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
                                                        MD5:F61F0D4D0F968D5BBA39A84C76277E1A
                                                        SHA1:AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
                                                        SHA-256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
                                                        SHA-512:6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
                                                        Malicious:false
                                                        URL:https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
                                                        Preview:wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.*',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.|*(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.5*1w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e*......71.?.7.ORv.?...l...G|.P...|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....|..D.d..

                                                        Chrome Cache Entry: 97

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (533)
                                                        Category:downloaded
                                                        Size (bytes):9210
                                                        Entropy (8bit):5.404371326611379
                                                        Encrypted:false
                                                        SSDEEP:192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
                                                        MD5:21E893B65627B397E22619A9F5BB9662
                                                        SHA1:F561B0F66211C1E7B22F94B4935C312AB7087E85
                                                        SHA-256:FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
                                                        SHA-512:3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null||typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]||null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null||b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

                                                        Chrome Cache Entry: 98

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (755)
                                                        Category:downloaded
                                                        Size (bytes):1460
                                                        Entropy (8bit):5.291808298251231
                                                        Encrypted:false
                                                        SSDEEP:24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
                                                        MD5:4CA7ADFE744A690411EA4D3EA8DB9E4B
                                                        SHA1:2CF1777A199E25378D330DA68BED1871B5C5BC32
                                                        SHA-256:128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
                                                        SHA-512:8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlG_aYNE-Dz95N0OV63231Yfi4Jf5g/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()*1E3,a.WR(),d.aa()*1E3,b)},a_a=function(a){return Math.random()*Math.min(a.wa*Math.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

                                                        Chrome Cache Entry: 99

                                                        Download File
                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        File Type:ASCII text, with very long lines (553)
                                                        Category:downloaded
                                                        Size (bytes):743936
                                                        Entropy (8bit):5.791086230020914
                                                        Encrypted:false
                                                        SSDEEP:6144:YVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:Nfd8j91/N
                                                        MD5:1A3606C746E7B1C949D9078E8E8C1244
                                                        SHA1:56A3EB1E93E61ACD7AAD39DC3526CB60E23651B1
                                                        SHA-256:5F49AE5162183E2EF6F082B29EC99F18DB0212B8ADDB03699B1BFB0AC7869742
                                                        SHA-512:F2D15243311C472331C5F3F083BB6C18D38EC0247A3F3CBAFD96DBA40E4EAE489CDA04176672E39FE3760EF7347596B2A5EAB0FB0125E881EF514475C99863B9
                                                        Malicious:false
                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBi2EQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlE6O04h0gj7Nu50q-nmaRKM6WWcJw/m=_b,_tp"
                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x286081c4, 0x2046d860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/./*. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.5832946750344785
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:file.exe
                                                        File size:919'040 bytes
                                                        MD5:45c675b6790e21eacdb1f3478fcadfda
                                                        SHA1:1e5955dd76b7b92c39114d6a45a99cf245ea1450
                                                        SHA256:a82303f0e40f9287c668597cc0250f6b1cfdab506282608510bdd49ec49f400c
                                                        SHA512:125eac9aed6678e0f61b78e26b9e73126005602a3f358de5c448e68659e5d739e26a00e78463e7ee6980131deccab5423f062525f5ccbcfef063ee5391c94d68
                                                        SSDEEP:12288:TqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgalTm:TqDEvCTbMWu7rQYlBQcBiT6rprG8aRm
                                                        TLSH:1D159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x420577
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66FDE993 [Thu Oct 3 00:47:15 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:948cc502fe9226992dce9417f952fce3

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007FAA3C7EA163h
                                                        jmp 00007FAA3C7E9A6Fh
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        push dword ptr [ebp+08h]
                                                        mov esi, ecx
                                                        call 00007FAA3C7E9C4Dh
                                                        mov dword ptr [esi], 0049FDF0h
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        and dword ptr [ecx+04h], 00000000h
                                                        mov eax, ecx
                                                        and dword ptr [ecx+08h], 00000000h
                                                        mov dword ptr [ecx+04h], 0049FDF8h
                                                        mov dword ptr [ecx], 0049FDF0h
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        push dword ptr [ebp+08h]
                                                        mov esi, ecx
                                                        call 00007FAA3C7E9C1Ah
                                                        mov dword ptr [esi], 0049FE0Ch
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        and dword ptr [ecx+04h], 00000000h
                                                        mov eax, ecx
                                                        and dword ptr [ecx+08h], 00000000h
                                                        mov dword ptr [ecx+04h], 0049FE14h
                                                        mov dword ptr [ecx], 0049FE0Ch
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        mov esi, ecx
                                                        lea eax, dword ptr [esi+04h]
                                                        mov dword ptr [esi], 0049FDD0h
                                                        and dword ptr [eax], 00000000h
                                                        and dword ptr [eax+04h], 00000000h
                                                        push eax
                                                        mov eax, dword ptr [ebp+08h]
                                                        add eax, 04h
                                                        push eax
                                                        call 00007FAA3C7EC80Dh
                                                        pop ecx
                                                        pop ecx
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        lea eax, dword ptr [ecx+04h]
                                                        mov dword ptr [ecx], 0049FDD0h
                                                        push eax
                                                        call 00007FAA3C7EC858h
                                                        pop ecx
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        mov esi, ecx
                                                        lea eax, dword ptr [esi+04h]
                                                        mov dword ptr [esi], 0049FDD0h
                                                        push eax
                                                        call 00007FAA3C7EC841h
                                                        test byte ptr [ebp+08h], 00000001h
                                                        pop ecx

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x9a10.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000x7594.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xd40000x9a100x9c000d2e6c97e729a90df64c1792fd6fc0f1False0.3053385416666667data5.325468746671334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xde0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xdc7b80xcd8data1.003345498783455
                                                        RT_GROUP_ICON0xdd4900x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0xdd5080x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0xdd51c0x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0xdd5300x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0xdd5440xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0xdd6200x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 3, 2024 03:00:58.144932032 CEST49675443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:00:58.145004988 CEST49674443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:00:58.254293919 CEST49673443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:03.424638987 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:03.424669981 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:03.425054073 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:03.425448895 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:03.425463915 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.087960005 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.088279009 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.088293076 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.089092970 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.089154959 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.090114117 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.090172052 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.091248035 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.091317892 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.091408968 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.135432005 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.137974024 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.137989044 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.184855938 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.371448040 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.371675014 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.371741056 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.377582073 CEST49704443192.168.2.5216.58.212.142
                                                        Oct 3, 2024 03:01:04.377588034 CEST44349704216.58.212.142192.168.2.5
                                                        Oct 3, 2024 03:01:04.389467001 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:04.389539957 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:04.389626026 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:04.389890909 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:04.389918089 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.104460955 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.105077982 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.105093956 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.105447054 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.105494976 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.106040955 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.106079102 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.107250929 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.107300997 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.107548952 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.107553959 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.153588057 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.400432110 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.400485039 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.400629044 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.400644064 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.400665045 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:05.400706053 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.402892113 CEST49710443192.168.2.5142.250.185.238
                                                        Oct 3, 2024 03:01:05.402909040 CEST44349710142.250.185.238192.168.2.5
                                                        Oct 3, 2024 03:01:07.752197027 CEST49675443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:07.752227068 CEST49674443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:07.807255983 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:07.807373047 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:07.807490110 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:07.807681084 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:07.807719946 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:07.843168974 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:07.843215942 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:07.843291998 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:07.845010042 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:07.845038891 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:07.856539965 CEST49673443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:08.443305016 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:08.443487883 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:08.443516970 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:08.444941998 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:08.444989920 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:08.446054935 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:08.446131945 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:08.487797022 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:08.487818003 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:08.505445004 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.505517006 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.509578943 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.509593964 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.509932995 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.543565989 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:08.559178114 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.561218977 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.603440046 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.776370049 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.776438951 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.776520014 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.776907921 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.776932001 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.776943922 CEST49716443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.776952982 CEST44349716184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.818512917 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.818562031 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:08.818651915 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.819232941 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:08.819250107 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.463125944 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.463192940 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:09.467989922 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:09.468012094 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.468275070 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.470402956 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:09.515405893 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.736243010 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.736427069 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.736475945 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:09.792023897 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:09.792090893 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:09.792129993 CEST49721443192.168.2.5184.28.90.27
                                                        Oct 3, 2024 03:01:09.792146921 CEST44349721184.28.90.27192.168.2.5
                                                        Oct 3, 2024 03:01:10.014641047 CEST4434970323.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:10.014770031 CEST49703443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:12.363245964 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.363296986 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.363375902 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.363815069 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.363837004 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.991539955 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.991909981 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.991950989 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.992362976 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.992444038 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.993042946 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.993098974 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.994199991 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.994266033 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:12.994443893 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:12.994461060 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.036056995 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.310389996 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.310441017 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.310470104 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.310508966 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.310553074 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.310586929 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.316292048 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.316375017 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.316390038 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.322571039 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.322617054 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.322653055 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.322665930 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.322726011 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.328968048 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.329052925 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.335262060 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.335304022 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.335340023 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.335352898 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.335702896 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.396760941 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.396811008 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.397017956 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.397083998 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.397156000 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.399702072 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.399801016 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.406039000 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.406080961 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.406131029 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.406145096 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.407669067 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.414515018 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.414566994 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.418462038 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.418524981 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.418538094 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.419879913 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:13.419917107 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:13.419992924 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:13.420856953 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:13.420872927 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:13.424860001 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.425028086 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.425039053 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.431138992 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.431267023 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.431273937 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.431293011 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.431353092 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.431916952 CEST49732443192.168.2.5142.250.186.78
                                                        Oct 3, 2024 03:01:13.431940079 CEST44349732142.250.186.78192.168.2.5
                                                        Oct 3, 2024 03:01:13.522039890 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:13.522093058 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:13.522231102 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:13.522573948 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:13.522595882 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.059717894 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.109272003 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.155580044 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.205493927 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.208868980 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.208877087 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.209209919 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.209233999 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.210226059 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.210308075 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.211301088 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.211397886 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.212816000 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.212891102 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.213848114 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.213907957 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.213933945 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.214140892 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.214211941 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.214354038 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.214507103 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.214518070 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.214843035 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.259427071 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.264219046 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.264219999 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.264235973 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.264242887 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.310471058 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.310600042 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.429322958 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.430429935 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.430497885 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.430530071 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.430530071 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.430548906 CEST44349736142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.430624008 CEST49736443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.431881905 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.431906939 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.431966066 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.432462931 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.432482958 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.456048012 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.456105947 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.456160069 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.456800938 CEST49737443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.456809998 CEST44349737142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.457685947 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.457735062 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:14.457784891 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.458482981 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:14.458518028 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.099869967 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.100074053 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.100090981 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.100451946 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.100513935 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.101157904 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.101216078 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.101331949 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.101394892 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.101432085 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.101452112 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.101459980 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.154108047 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.157505035 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.157906055 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.157939911 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.158313990 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.158389091 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.159008026 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.159066916 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.159204006 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.159269094 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.159424067 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.159424067 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.159446001 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.201009989 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.201029062 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.320314884 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.321327925 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.321391106 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.322002888 CEST49741443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.322017908 CEST44349741142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.376503944 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.377549887 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.377624989 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.378231049 CEST49739443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:15.378272057 CEST44349739142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:15.705538988 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:15.751394033 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:15.971529961 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:15.971576929 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:15.971604109 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:15.971643925 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:15.971757889 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:15.971760035 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:15.971760035 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:15.971801043 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:15.972621918 CEST49715443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:01:15.972650051 CEST44349715216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:01:16.788772106 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:16.788810015 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:16.788880110 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:16.790450096 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:16.790467978 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:17.418103933 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:17.418165922 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:17.420944929 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:17.420955896 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:17.421241999 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:17.466438055 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:17.998075962 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.039402008 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201453924 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201478004 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201483965 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201524019 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201556921 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.201570988 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201580048 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.201591969 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.201617956 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.202058077 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.202111006 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.202116966 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.202200890 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.205256939 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.697448969 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.697479963 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:18.697493076 CEST49745443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:18.697499037 CEST4434974520.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:20.240823030 CEST49703443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:20.240884066 CEST49703443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:20.241187096 CEST49754443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:20.241219997 CEST4434975423.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:20.241292000 CEST49754443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:20.244203091 CEST49754443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:20.244213104 CEST4434975423.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:20.245948076 CEST4434970323.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:20.245975018 CEST4434970323.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:21.486547947 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:21.486588001 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:21.491408110 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:21.494045019 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:21.494057894 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:21.796566963 CEST4434975423.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:21.796648026 CEST49754443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:22.126755953 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.127099037 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:22.127105951 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.127459049 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.127744913 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:22.127793074 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.127916098 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:22.127916098 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:22.127937078 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.456254005 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.457088947 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:22.457165003 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:22.458209038 CEST49755443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:22.458224058 CEST44349755142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:41.477015972 CEST4434975423.1.237.91192.168.2.5
                                                        Oct 3, 2024 03:01:41.477097988 CEST49754443192.168.2.523.1.237.91
                                                        Oct 3, 2024 03:01:43.797081947 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:43.797200918 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:43.797291994 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:43.797517061 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:43.797549009 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.431016922 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.431360006 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.431390047 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.431723118 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.431982994 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.432034969 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.432116032 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.432126999 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.432137012 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.499092102 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.499139071 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.499206066 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.499568939 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.499583960 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.732886076 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.733494997 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:44.733576059 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.733678102 CEST49756443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:44.733696938 CEST44349756142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.130656958 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.130979061 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:45.131006956 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.131758928 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.132038116 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:45.132123947 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.132177114 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:45.132195950 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:45.132210970 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.348634958 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.349453926 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:45.349523067 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:45.349844933 CEST49757443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:45.349860907 CEST44349757142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:46.733335018 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:46.733406067 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:46.733514071 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:46.733807087 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:46.733824015 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.363708973 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.397001982 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:47.397041082 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.397669077 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.404227972 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:47.404354095 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.407905102 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:47.407929897 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:47.407943964 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.664505959 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.664868116 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:47.664927006 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:47.665168047 CEST49758443192.168.2.5142.250.186.174
                                                        Oct 3, 2024 03:01:47.665194035 CEST44349758142.250.186.174192.168.2.5
                                                        Oct 3, 2024 03:01:55.345669031 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:55.345727921 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:55.345807076 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:55.346271038 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:55.346287966 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:55.947990894 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:55.948071003 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:55.952238083 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:55.952253103 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:55.952461004 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:55.959331989 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.003422976 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.158675909 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.158699036 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.158724070 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.158885956 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.158917904 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.159096003 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.159681082 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.159713030 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.159871101 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.159871101 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.159879923 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.160073996 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.160119057 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.163074017 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.163120985 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:01:56.163146019 CEST49759443192.168.2.520.12.23.50
                                                        Oct 3, 2024 03:01:56.163161039 CEST4434975920.12.23.50192.168.2.5
                                                        Oct 3, 2024 03:02:07.848447084 CEST49761443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:02:07.848551989 CEST44349761216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:02:07.848675966 CEST49761443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:02:07.848865032 CEST49761443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:02:07.848907948 CEST44349761216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:02:14.603506088 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:14.603599072 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:14.603681087 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:14.603930950 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:14.603965998 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.249670029 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.249926090 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.249947071 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.250485897 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.250803947 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.250895023 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.250937939 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.250937939 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.250976086 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.293790102 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.549295902 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.550117016 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:15.550209045 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.550467014 CEST49764443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:15.550488949 CEST44349764142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:17.531450033 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:17.531547070 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:17.531652927 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:17.531898975 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:17.531929016 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.179507017 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.183044910 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:18.183109999 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.183466911 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.183746099 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:18.183810949 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.184051037 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:18.184051037 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:18.184089899 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.479150057 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.479535103 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:18.479615927 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:18.479777098 CEST49765443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:18.479821920 CEST44349765142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:37.855804920 CEST49761443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:02:37.899446964 CEST44349761216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:02:47.610364914 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:47.610425949 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:47.610532045 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:47.610869884 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:47.610892057 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:47.767215014 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:47.767313004 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:47.767422915 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:47.767776966 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:47.767813921 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.250983000 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.251346111 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.251410961 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.251938105 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.252234936 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.252327919 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.252403975 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.252403975 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.252446890 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.431622028 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.432033062 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.432068110 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.432826996 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.433197975 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.433290005 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.433340073 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.433362961 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.433372021 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.549180984 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.549988985 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.550120115 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.550170898 CEST49767443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.550188065 CEST44349767142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.737061024 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.737410069 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:02:48.737473965 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.737767935 CEST49768443192.168.2.5142.250.186.142
                                                        Oct 3, 2024 03:02:48.737792015 CEST44349768142.250.186.142192.168.2.5
                                                        Oct 3, 2024 03:03:07.903840065 CEST49769443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:03:07.903942108 CEST44349769216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:03:07.904066086 CEST49769443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:03:07.904335976 CEST49769443192.168.2.5216.58.206.68
                                                        Oct 3, 2024 03:03:07.904377937 CEST44349769216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:03:08.566617966 CEST44349769216.58.206.68192.168.2.5
                                                        Oct 3, 2024 03:03:08.616494894 CEST49769443192.168.2.5216.58.206.68

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 3, 2024 03:01:03.401374102 CEST6146853192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:03.401689053 CEST5695953192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:03.407896996 CEST53614681.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:03.408482075 CEST53569591.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:03.429486990 CEST53597131.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:03.433104038 CEST53638741.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:04.380502939 CEST6088753192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:04.380779982 CEST6082053192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:04.387202024 CEST53608871.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:04.387351036 CEST53608201.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:04.444030046 CEST53610611.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:07.794951916 CEST6408053192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:07.795085907 CEST6338653192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:07.801973104 CEST53633861.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:07.802164078 CEST53640801.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:07.965692997 CEST53633321.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:09.772393942 CEST53547901.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:12.349216938 CEST6507253192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:12.349718094 CEST6112453192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:12.357593060 CEST53650721.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:12.360799074 CEST53611241.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:13.411755085 CEST5492953192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:13.412050009 CEST5140553192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:01:13.418359041 CEST53549291.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:13.418742895 CEST53514051.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:21.357065916 CEST53578461.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:01:40.446532965 CEST53574421.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:02:03.068658113 CEST53539391.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:02:03.069323063 CEST53644501.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:02:11.450443029 CEST53509381.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:02:14.595801115 CEST5313453192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:02:14.595854998 CEST6429853192.168.2.51.1.1.1
                                                        Oct 3, 2024 03:02:14.602844000 CEST53531341.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:02:14.603126049 CEST53642981.1.1.1192.168.2.5
                                                        Oct 3, 2024 03:02:31.021159887 CEST53516511.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 3, 2024 03:01:03.401374102 CEST192.168.2.51.1.1.10xf224Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:03.401689053 CEST192.168.2.51.1.1.10xae01Standard query (0)youtube.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.380502939 CEST192.168.2.51.1.1.10xd508Standard query (0)www.youtube.comA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.380779982 CEST192.168.2.51.1.1.10x836Standard query (0)www.youtube.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:07.794951916 CEST192.168.2.51.1.1.10xed31Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:07.795085907 CEST192.168.2.51.1.1.10xf8b7Standard query (0)www.google.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:12.349216938 CEST192.168.2.51.1.1.10xde52Standard query (0)accounts.youtube.comA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:12.349718094 CEST192.168.2.51.1.1.10xf128Standard query (0)accounts.youtube.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:13.411755085 CEST192.168.2.51.1.1.10x9e4cStandard query (0)play.google.comA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:13.412050009 CEST192.168.2.51.1.1.10x7ee4Standard query (0)play.google.com65IN (0x0001)false
                                                        Oct 3, 2024 03:02:14.595801115 CEST192.168.2.51.1.1.10x3e7aStandard query (0)play.google.comA (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:02:14.595854998 CEST192.168.2.51.1.1.10x7e08Standard query (0)play.google.com65IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 3, 2024 03:01:03.407896996 CEST1.1.1.1192.168.2.50xf224No error (0)youtube.com216.58.212.142A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:03.408482075 CEST1.1.1.1192.168.2.50xae01No error (0)youtube.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.185.238A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.185.206A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.185.174A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.186.110A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.185.110A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com172.217.16.142A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.185.142A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.186.46A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com216.58.212.174A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com172.217.16.206A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com172.217.18.14A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387202024 CEST1.1.1.1192.168.2.50xd508No error (0)youtube-ui.l.google.com142.250.186.174A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387351036 CEST1.1.1.1192.168.2.50x836No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 3, 2024 03:01:04.387351036 CEST1.1.1.1192.168.2.50x836No error (0)youtube-ui.l.google.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:07.801973104 CEST1.1.1.1192.168.2.50xf8b7No error (0)www.google.com65IN (0x0001)false
                                                        Oct 3, 2024 03:01:07.802164078 CEST1.1.1.1192.168.2.50xed31No error (0)www.google.com216.58.206.68A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:12.357593060 CEST1.1.1.1192.168.2.50xde52No error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 3, 2024 03:01:12.357593060 CEST1.1.1.1192.168.2.50xde52No error (0)www3.l.google.com142.250.186.78A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:01:12.360799074 CEST1.1.1.1192.168.2.50xf128No error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 3, 2024 03:01:13.418359041 CEST1.1.1.1192.168.2.50x9e4cNo error (0)play.google.com142.250.186.174A (IP address)IN (0x0001)false
                                                        Oct 3, 2024 03:02:14.602844000 CEST1.1.1.1192.168.2.50x3e7aNo error (0)play.google.com142.250.186.142A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • youtube.com
                                                        • www.youtube.com
                                                        • fs.microsoft.com
                                                        • https:
                                                          • accounts.youtube.com
                                                          • play.google.com
                                                          • www.google.com
                                                        • slscr.update.microsoft.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549704216.58.212.1424436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:04 UTC859OUTGET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1
                                                        Host: youtube.com
                                                        Connection: keep-alive
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Upgrade-Insecure-Requests: 1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: none
                                                        Sec-Fetch-Mode: navigate
                                                        Sec-Fetch-User: ?1
                                                        Sec-Fetch-Dest: document
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        2024-10-03 01:01:04 UTC1919INHTTP/1.1 301 Moved Permanently
                                                        Content-Type: application/binary
                                                        X-Content-Type-Options: nosniff
                                                        Expires: Thu, 03 Oct 2024 01:01:04 GMT
                                                        Date: Thu, 03 Oct 2024 01:01:04 GMT
                                                        Cache-Control: private, max-age=31536000
                                                        Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                        X-Frame-Options: SAMEORIGIN
                                                        Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                                                        Content-Security-Policy: require-trusted-types-for 'script'
                                                        Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                                                        Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        Set-Cookie: YSC=LR4Ww4U4cC4; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.549710142.250.185.2384436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:05 UTC902OUTGET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1
                                                        Host: www.youtube.com
                                                        Connection: keep-alive
                                                        Upgrade-Insecure-Requests: 1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: none
                                                        Sec-Fetch-Mode: navigate
                                                        Sec-Fetch-User: ?1
                                                        Sec-Fetch-Dest: document
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: YSC=LR4Ww4U4cC4
                                                        2024-10-03 01:01:05 UTC2530INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        X-Content-Type-Options: nosniff
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Thu, 03 Oct 2024 01:01:05 GMT
                                                        Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en
                                                        X-Frame-Options: SAMEORIGIN
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script'
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                                                        Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                                                        Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                                                        P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Thu, 03-Oct-2024 01:31:05 GMT; Path=/; Secure; HttpOnly
                                                        Set-Cookie: VISITOR_INFO1_LIVE=EnbQQeQ_Ap0; Domain=.youtube.com; Expires=Tue, 01-Apr-2025 01:01:05 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                        Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgFQ%3D%3D; Domain=.youtube.com; Expires=Tue, 01-Apr-2025 01:01:05 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.549716184.28.90.27443
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:08 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: fs.microsoft.com
                                                        2024-10-03 01:01:08 UTC466INHTTP/1.1 200 OK
                                                        Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                        Content-Type: application/octet-stream
                                                        ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                        Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                        Server: ECAcc (lpl/EF06)
                                                        X-CID: 11
                                                        X-Ms-ApiVersion: Distribute 1.2
                                                        X-Ms-Region: prod-neu-z1
                                                        Cache-Control: public, max-age=56682
                                                        Date: Thu, 03 Oct 2024 01:01:08 GMT
                                                        Connection: close
                                                        X-CID: 2


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.549721184.28.90.27443
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:09 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                        Range: bytes=0-2147483646
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: fs.microsoft.com
                                                        2024-10-03 01:01:09 UTC514INHTTP/1.1 200 OK
                                                        ApiVersion: Distribute 1.1
                                                        Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                        Content-Type: application/octet-stream
                                                        ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                        Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                        Server: ECAcc (lpl/EF06)
                                                        X-CID: 11
                                                        X-Ms-ApiVersion: Distribute 1.2
                                                        X-Ms-Region: prod-weu-z1
                                                        Cache-Control: public, max-age=56625
                                                        Date: Thu, 03 Oct 2024 01:01:09 GMT
                                                        Content-Length: 55
                                                        Connection: close
                                                        X-CID: 2
                                                        2024-10-03 01:01:09 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                        Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.549732142.250.186.784436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:12 UTC1243OUTGET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=883938020&timestamp=1727917271313 HTTP/1.1
                                                        Host: accounts.youtube.com
                                                        Connection: keep-alive
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-arch: "x86"
                                                        sec-ch-ua-platform: "Windows"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        Upgrade-Insecure-Requests: 1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: cross-site
                                                        Sec-Fetch-Mode: navigate
                                                        Sec-Fetch-User: ?1
                                                        Sec-Fetch-Dest: iframe
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        2024-10-03 01:01:13 UTC1958INHTTP/1.1 200 OK
                                                        Content-Type: text/html; charset=utf-8
                                                        X-Frame-Options: ALLOW-FROM https://accounts.google.com
                                                        Content-Security-Policy: frame-ancestors https://accounts.google.com
                                                        Content-Security-Policy: script-src 'report-sample' 'nonce-4BlMzlJEQEJehCylewSL5g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Thu, 03 Oct 2024 01:01:13 GMT
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjMtDikmLw1JBikPj6kkkLiJ3SZ7CGAHHSv_OsJUB8ufsS63UgLpK4wtoCxELcHDdvft_OJtBwflG0kl5SfmF8ZkpqXklmSWVKfm5iZl5yfn52ZmpxcWpRWWpRvJGBkYmBpZGRnoFFfIEBAFKFKjs"
                                                        Server: ESF
                                                        X-XSS-Protection: 0
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 37 36 31 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 34 42 6c 4d 7a 6c 4a 45 51 45 4a 65 68 43 79 6c 65 77 53 4c 35 67 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f
                                                        Data Ascii: 7619<html><head><script nonce="4BlMzlJEQEJehCylewSL5g">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs||{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 63 5b 31 5d 29 69 66 28 62 3d 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b
                                                        Data Ascii: c[1])if(b=/Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 61 29 7d 2c 49 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73
                                                        Data Ascii: a)},Ia=function(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}els
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 3f 61 2e 74 6f 4a 53 4f 4e 28 29 3a 49 61 28 61 29 7d 2c 53 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64
                                                        Data Ascii: ?a.toJSON():Ia(a)},Sa=function(a){var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 20 62 28 63 2b 28 66 7c 7c 22 22 29 2b 22 5f 22 2b 64 2b 2b 2c 66 29 7d 3b 72 65 74 75 72 6e 20 65 7d 29 3b 0a 47 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b
                                                        Data Ascii: b(c+(f||"")+"_"+d++,f)};return e});G("Symbol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66
                                                        Data Ascii: rn!1}}())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=f
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 6b 65 79 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 76 61 6c 75 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66
                                                        Data Ascii: key})};c.prototype.values=function(){return e(this,function(g){return g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=f
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 28 62 29 7b 72 65 74 75 72 6e 20 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 28 62 29 3f 62 3d 3d 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 62 29 3a 21 31 7d 7d 29 3b 47 28 22 4e 75 6d 62 65 72 2e 69 73 4e 61 4e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69
                                                        Data Ascii: (b){return Number.isFinite(b)?b===Math.floor(b):!1}});G("Number.isNaN",function(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb||{},q=this||self,gb=q._F_toggles||[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)i
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 66 2c 61 29 7d 3b 76 61 72 20 78 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 7c 7c 28 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d
                                                        Data Ascii: f,a)};var xa=function(a,b){a.__closure__error__context__984382||(a.__closure__error__context__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c||q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({m
                                                        2024-10-03 01:01:13 UTC1958INData Raw: 22 2c 20 22 29 3b 76 61 72 20 66 3d 64 5b 65 5d 3b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 66 29 7b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 66 3d 66 3f 22 6f 62 6a 65 63 74 22 3a 22 6e 75 6c 6c 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 73 74 72 69 6e 67 22 3a 62 72 65 61 6b 3b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c
                                                        Data Ascii: ", ");var f=d[e];switch(typeof f){case "object":f=f?"object":"null";break;case "string":break;case "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.549737142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:14 UTC549OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Accept: */*
                                                        Access-Control-Request-Method: POST
                                                        Access-Control-Request-Headers: x-goog-authuser
                                                        Origin: https://accounts.google.com
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        2024-10-03 01:01:14 UTC520INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                        Access-Control-Max-Age: 86400
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:14 GMT
                                                        Server: Playlog
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.549736142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:14 UTC549OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Accept: */*
                                                        Access-Control-Request-Method: POST
                                                        Access-Control-Request-Headers: x-goog-authuser
                                                        Origin: https://accounts.google.com
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        2024-10-03 01:01:14 UTC520INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                        Access-Control-Max-Age: 86400
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:14 GMT
                                                        Server: Playlog
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.549741142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:15 UTC1132OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 519
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        2024-10-03 01:01:15 UTC519OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 32 37 32 34 37 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917272479",null,null,null
                                                        2024-10-03 01:01:15 UTC933INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Set-Cookie: NID=518=K0CeW5KNXe3aJ3fjAFkF0h_g5ELoFj4Iw0EpXaYMJDHXTyaJWaFe_DVEpUGbZAb54o6qaqzJE14LjtfNvvix9q-q3XuQCOM4mKUOqS8tiDjBYkMxk56S1xACG0vVYy9IL3y4oRD-ss2B6UuAG-eUMwLaVdPC32N530dvh4NYCfLrypS5cVE; expires=Fri, 04-Apr-2025 01:01:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:15 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Expires: Thu, 03 Oct 2024 01:01:15 GMT
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:15 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:01:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.549739142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:15 UTC1132OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 519
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        2024-10-03 01:01:15 UTC519OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 32 37 32 33 37 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917272372",null,null,null
                                                        2024-10-03 01:01:15 UTC933INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Set-Cookie: NID=518=1cJKq88DL4p6Lmr75sYj4DThWgBiWr5XjSVNG4BAv0w88GuNsy_vZ9J2opdRiOU82m-MtqEDJkK9qwoeWc0Q65w9peAhELyn_BPAroAFqM0qxQ208yJC8bsTwGYIipKLXvU4OPkmoKbBcsxL1zt7i0evR_Wn1qtt163J5Mmc5K8ZWkMGJEI; expires=Fri, 04-Apr-2025 01:01:15 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:15 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Expires: Thu, 03 Oct 2024 01:01:15 GMT
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:15 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:01:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.549715216.58.206.684436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:15 UTC1222OUTGET /favicon.ico HTTP/1.1
                                                        Host: www.google.com
                                                        Connection: keep-alive
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: no-cors
                                                        Sec-Fetch-Dest: image
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=1cJKq88DL4p6Lmr75sYj4DThWgBiWr5XjSVNG4BAv0w88GuNsy_vZ9J2opdRiOU82m-MtqEDJkK9qwoeWc0Q65w9peAhELyn_BPAroAFqM0qxQ208yJC8bsTwGYIipKLXvU4OPkmoKbBcsxL1zt7i0evR_Wn1qtt163J5Mmc5K8ZWkMGJEI
                                                        2024-10-03 01:01:15 UTC705INHTTP/1.1 200 OK
                                                        Accept-Ranges: bytes
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable"
                                                        Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]}
                                                        Content-Length: 5430
                                                        X-Content-Type-Options: nosniff
                                                        Server: sffe
                                                        X-XSS-Protection: 0
                                                        Date: Wed, 02 Oct 2024 22:47:46 GMT
                                                        Expires: Thu, 10 Oct 2024 22:47:46 GMT
                                                        Cache-Control: public, max-age=691200
                                                        Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT
                                                        Content-Type: image/x-icon
                                                        Vary: Accept-Encoding
                                                        Age: 8009
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close
                                                        2024-10-03 01:01:15 UTC685INData Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff
                                                        Data Ascii: h& ( 0.v]X:X:rY
                                                        2024-10-03 01:01:15 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a
                                                        Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
                                                        2024-10-03 01:01:15 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff
                                                        Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
                                                        2024-10-03 01:01:15 UTC1390INData Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                        Data Ascii: BBBBBBF!4I
                                                        2024-10-03 01:01:15 UTC575INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                        Data Ascii: $'


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.54974520.12.23.50443
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:17 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ewFdoPw4kVxTdlA&MD=16USvz9R HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                        Host: slscr.update.microsoft.com
                                                        2024-10-03 01:01:18 UTC560INHTTP/1.1 200 OK
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Type: application/octet-stream
                                                        Expires: -1
                                                        Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                        ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                        MS-CorrelationId: acde853b-01ba-4f4a-81a8-7b70f2260854
                                                        MS-RequestId: 982fc31a-5d41-40b3-a55a-3c2b2efa0aa2
                                                        MS-CV: AMX87rkAO0eHS19A.0
                                                        X-Microsoft-SLSClientCache: 2880
                                                        Content-Disposition: attachment; filename=environment.cab
                                                        X-Content-Type-Options: nosniff
                                                        Date: Thu, 03 Oct 2024 01:01:17 GMT
                                                        Connection: close
                                                        Content-Length: 24490
                                                        2024-10-03 01:01:18 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                        Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                        2024-10-03 01:01:18 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                        Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.549755142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:22 UTC1307OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1224
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: text/plain;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=1cJKq88DL4p6Lmr75sYj4DThWgBiWr5XjSVNG4BAv0w88GuNsy_vZ9J2opdRiOU82m-MtqEDJkK9qwoeWc0Q65w9peAhELyn_BPAroAFqM0qxQ208yJC8bsTwGYIipKLXvU4OPkmoKbBcsxL1zt7i0evR_Wn1qtt163J5Mmc5K8ZWkMGJEI
                                                        2024-10-03 01:01:22 UTC1224OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 39 31 37 32 37 30 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],558,[["1727917270000",null,null,null,
                                                        2024-10-03 01:01:22 UTC941INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Set-Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8; expires=Fri, 04-Apr-2025 01:01:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:22 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Expires: Thu, 03 Oct 2024 01:01:22 GMT
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:22 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:01:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.549756142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:44 UTC1338OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1224
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:01:44 UTC1224OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 33 30 32 37 36 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917302765",null,null,null
                                                        2024-10-03 01:01:44 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:44 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:44 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:01:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.549757142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:45 UTC1297OUTPOST /log?hasfast=true&authuser=0&format=json HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 861
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        Content-Type: text/plain;charset=UTF-8
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: no-cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:01:45 UTC861OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 33 2c 30 2c 30
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[3,0,0
                                                        2024-10-03 01:01:45 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:45 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:45 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:01:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.549758142.250.186.1744436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:47 UTC1338OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1392
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:01:47 UTC1392OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 33 30 35 37 30 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917305702",null,null,null
                                                        2024-10-03 01:01:47 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:01:47 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:01:47 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:01:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.54975920.12.23.50443
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:01:55 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=ewFdoPw4kVxTdlA&MD=16USvz9R HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                        Host: slscr.update.microsoft.com
                                                        2024-10-03 01:01:56 UTC560INHTTP/1.1 200 OK
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Type: application/octet-stream
                                                        Expires: -1
                                                        Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                        ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                        MS-CorrelationId: 768cf9ca-0a3b-4f50-bf2e-15bd030537e5
                                                        MS-RequestId: 7757b84b-1fbd-4ed1-963c-244da191d5d7
                                                        MS-CV: pHOnbiSzmU6dJQ37.0
                                                        X-Microsoft-SLSClientCache: 1440
                                                        Content-Disposition: attachment; filename=environment.cab
                                                        X-Content-Type-Options: nosniff
                                                        Date: Thu, 03 Oct 2024 01:01:55 GMT
                                                        Connection: close
                                                        Content-Length: 30005
                                                        2024-10-03 01:01:56 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                        Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                        2024-10-03 01:01:56 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                        Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.549764142.250.186.1424436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:02:15 UTC1338OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1392
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:02:15 UTC1392OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 33 33 33 35 36 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917333565",null,null,null
                                                        2024-10-03 01:02:15 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:02:15 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:02:15 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:02:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.549765142.250.186.1424436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:02:18 UTC1338OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1361
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:02:18 UTC1361OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 33 33 36 35 30 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917336501",null,null,null
                                                        2024-10-03 01:02:18 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:02:18 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:02:18 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:02:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.549767142.250.186.1424436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:02:48 UTC1338OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1307
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:02:48 UTC1307OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 33 36 36 35 38 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917366580",null,null,null
                                                        2024-10-03 01:02:48 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:02:48 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:02:48 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:02:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.549768142.250.186.1424436332C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-03 01:02:48 UTC1338OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                        Host: play.google.com
                                                        Connection: keep-alive
                                                        Content-Length: 1191
                                                        sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                        sec-ch-ua-mobile: ?0
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                        sec-ch-ua-arch: "x86"
                                                        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                        sec-ch-ua-full-version: "117.0.5938.132"
                                                        sec-ch-ua-platform-version: "10.0.0"
                                                        X-Goog-AuthUser: 0
                                                        sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"
                                                        sec-ch-ua-bitness: "64"
                                                        sec-ch-ua-model: ""
                                                        sec-ch-ua-wow64: ?0
                                                        sec-ch-ua-platform: "Windows"
                                                        Accept: */*
                                                        Origin: https://accounts.google.com
                                                        X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=
                                                        Sec-Fetch-Site: same-site
                                                        Sec-Fetch-Mode: cors
                                                        Sec-Fetch-Dest: empty
                                                        Referer: https://accounts.google.com/
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Cookie: NID=518=GVAlKW7_inQJ-bivYqoI4k2GVp50ZtVcZgMHqQM9xu1eEXz-ttL4xYeIpMslCS5FT4vgTLps5zcvKoSE-DUsINB18bSBsbxlQkfk7hURqv32d0NmA7trG7BIGc5l9zi1kq_eNp6lefIvxK93ccG9uJdjVhXiT7K6ggEEV7TeKKPNbanq0IuUSpgezn8
                                                        2024-10-03 01:02:48 UTC1191OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 39 31 37 33 36 36 37 33 37 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                        Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],1828,[["1727917366737",null,null,null
                                                        2024-10-03 01:02:48 UTC523INHTTP/1.1 200 OK
                                                        Access-Control-Allow-Origin: https://accounts.google.com
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        Access-Control-Allow-Credentials: true
                                                        Access-Control-Allow-Headers: X-Playlog-Web
                                                        Content-Type: text/plain; charset=UTF-8
                                                        Date: Thu, 03 Oct 2024 01:02:48 GMT
                                                        Server: Playlog
                                                        Cache-Control: private
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Accept-Ranges: none
                                                        Vary: Accept-Encoding
                                                        Connection: close
                                                        Transfer-Encoding: chunked
                                                        2024-10-03 01:02:48 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                        Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                        2024-10-03 01:02:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Users\user\Desktop\file.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                        Imagebase:0xe50000
                                                        File size:919'040 bytes
                                                        MD5 hash:45C675B6790E21EACDB1F3478FCADFDA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:taskkill /F /IM chrome.exe /T
                                                        Imagebase:0x850000
                                                        File size:74'240 bytes
                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:taskkill /F /IM msedge.exe /T
                                                        Imagebase:0x850000
                                                        File size:74'240 bytes
                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:taskkill /F /IM firefox.exe /T
                                                        Imagebase:0x850000
                                                        File size:74'240 bytes
                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:taskkill /F /IM opera.exe /T
                                                        Imagebase:0x850000
                                                        File size:74'240 bytes
                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:taskkill /F /IM brave.exe /T
                                                        Imagebase:0x850000
                                                        File size:74'240 bytes
                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:21:00:59
                                                        Start date:02/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:21:01:01
                                                        Start date:02/10/2024
                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
                                                        Imagebase:0x7ff715980000
                                                        File size:3'242'272 bytes
                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:14
                                                        Start time:21:01:01
                                                        Start date:02/10/2024
                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8
                                                        Imagebase:0x7ff715980000
                                                        File size:3'242'272 bytes
                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:15
                                                        Start time:21:01:12
                                                        Start date:02/10/2024
                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8
                                                        Imagebase:0x7ff715980000
                                                        File size:3'242'272 bytes
                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        General

                                                        Target ID:16
                                                        Start time:21:01:12
                                                        Start date:02/10/2024
                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=2024,i,6605478859309440277,1233847571118689499,262144 /prefetch:8
                                                        Imagebase:0x7ff715980000
                                                        File size:3'242'272 bytes
                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:4.6%
                                                          Total number of Nodes:1635
                                                          Total number of Limit Nodes:53
                                                          execution_graph 95064 e51044 95069 e510f3 95064->95069 95066 e5104a 95105 e700a3 29 API calls __onexit 95066->95105 95068 e51054 95106 e51398 95069->95106 95073 e5116a 95116 e5a961 95073->95116 95076 e5a961 22 API calls 95077 e5117e 95076->95077 95078 e5a961 22 API calls 95077->95078 95079 e51188 95078->95079 95080 e5a961 22 API calls 95079->95080 95081 e511c6 95080->95081 95082 e5a961 22 API calls 95081->95082 95083 e51292 95082->95083 95121 e5171c 95083->95121 95087 e512c4 95088 e5a961 22 API calls 95087->95088 95089 e512ce 95088->95089 95142 e61940 95089->95142 95091 e512f9 95152 e51aab 95091->95152 95093 e51315 95094 e51325 GetStdHandle 95093->95094 95095 e92485 95094->95095 95096 e5137a 95094->95096 95095->95096 95097 e9248e 95095->95097 95099 e51387 OleInitialize 95096->95099 95159 e6fddb 95097->95159 95099->95066 95100 e92495 95169 ec011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95100->95169 95102 e9249e 95170 ec0944 CreateThread 95102->95170 95104 e924aa CloseHandle 95104->95096 95105->95068 95171 e513f1 95106->95171 95109 e513f1 22 API calls 95110 e513d0 95109->95110 95111 e5a961 22 API calls 95110->95111 95112 e513dc 95111->95112 95178 e56b57 95112->95178 95114 e51129 95115 e51bc3 6 API calls 95114->95115 95115->95073 95117 e6fe0b 22 API calls 95116->95117 95118 e5a976 95117->95118 95119 e6fddb 22 API calls 95118->95119 95120 e51174 95119->95120 95120->95076 95122 e5a961 22 API calls 95121->95122 95123 e5172c 95122->95123 95124 e5a961 22 API calls 95123->95124 95125 e51734 95124->95125 95126 e5a961 22 API calls 95125->95126 95127 e5174f 95126->95127 95128 e6fddb 22 API calls 95127->95128 95129 e5129c 95128->95129 95130 e51b4a 95129->95130 95131 e51b58 95130->95131 95132 e5a961 22 API calls 95131->95132 95133 e51b63 95132->95133 95134 e5a961 22 API calls 95133->95134 95135 e51b6e 95134->95135 95136 e5a961 22 API calls 95135->95136 95137 e51b79 95136->95137 95138 e5a961 22 API calls 95137->95138 95139 e51b84 95138->95139 95140 e6fddb 22 API calls 95139->95140 95141 e51b96 RegisterWindowMessageW 95140->95141 95141->95087 95143 e61981 95142->95143 95150 e6195d 95142->95150 95223 e70242 5 API calls __Init_thread_wait 95143->95223 95144 e6196e 95144->95091 95146 e6198b 95146->95150 95224 e701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95146->95224 95148 e68727 95148->95144 95226 e701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95148->95226 95150->95144 95225 e70242 5 API calls __Init_thread_wait 95150->95225 95153 e9272d 95152->95153 95154 e51abb 95152->95154 95227 ec3209 23 API calls 95153->95227 95155 e6fddb 22 API calls 95154->95155 95157 e51ac3 95155->95157 95157->95093 95158 e92738 95161 e6fde0 95159->95161 95160 e7ea0c ___std_exception_copy 21 API calls 95160->95161 95161->95160 95162 e6fdfa 95161->95162 95166 e6fdfc 95161->95166 95228 e74ead 7 API calls 2 library calls 95161->95228 95162->95100 95164 e7066d 95230 e732a4 RaiseException 95164->95230 95166->95164 95229 e732a4 RaiseException 95166->95229 95168 e7068a 95168->95100 95169->95102 95170->95104 95231 ec092a 28 API calls 95170->95231 95172 e5a961 22 API calls 95171->95172 95173 e513fc 95172->95173 95174 e5a961 22 API calls 95173->95174 95175 e51404 95174->95175 95176 e5a961 22 API calls 95175->95176 95177 e513c6 95176->95177 95177->95109 95179 e56b67 _wcslen 95178->95179 95180 e94ba1 95178->95180 95183 e56ba2 95179->95183 95184 e56b7d 95179->95184 95201 e593b2 95180->95201 95182 e94baa 95182->95182 95186 e6fddb 22 API calls 95183->95186 95190 e56f34 22 API calls 95184->95190 95187 e56bae 95186->95187 95191 e6fe0b 95187->95191 95188 e56b85 __fread_nolock 95188->95114 95190->95188 95193 e6fddb 95191->95193 95194 e6fdfa 95193->95194 95197 e6fdfc 95193->95197 95205 e7ea0c 95193->95205 95212 e74ead 7 API calls 2 library calls 95193->95212 95194->95188 95196 e7066d 95214 e732a4 RaiseException 95196->95214 95197->95196 95213 e732a4 RaiseException 95197->95213 95199 e7068a 95199->95188 95202 e593c9 __fread_nolock 95201->95202 95203 e593c0 95201->95203 95202->95182 95203->95202 95217 e5aec9 95203->95217 95210 e83820 pre_c_initialization 95205->95210 95206 e8385e 95216 e7f2d9 20 API calls __dosmaperr 95206->95216 95207 e83849 RtlAllocateHeap 95209 e8385c 95207->95209 95207->95210 95209->95193 95210->95206 95210->95207 95215 e74ead 7 API calls 2 library calls 95210->95215 95212->95193 95213->95196 95214->95199 95215->95210 95216->95209 95218 e5aedc 95217->95218 95219 e5aed9 __fread_nolock 95217->95219 95220 e6fddb 22 API calls 95218->95220 95219->95202 95221 e5aee7 95220->95221 95222 e6fe0b 22 API calls 95221->95222 95222->95219 95223->95146 95224->95150 95225->95148 95226->95144 95227->95158 95228->95161 95229->95164 95230->95168 95232 e52de3 95233 e52df0 __wsopen_s 95232->95233 95234 e92c2b ___scrt_fastfail 95233->95234 95235 e52e09 95233->95235 95238 e92c47 GetOpenFileNameW 95234->95238 95248 e53aa2 95235->95248 95240 e92c96 95238->95240 95241 e56b57 22 API calls 95240->95241 95243 e92cab 95241->95243 95243->95243 95245 e52e27 95276 e544a8 95245->95276 95305 e91f50 95248->95305 95251 e53ace 95253 e56b57 22 API calls 95251->95253 95252 e53ae9 95311 e5a6c3 95252->95311 95255 e53ada 95253->95255 95307 e537a0 95255->95307 95258 e52da5 95259 e91f50 __wsopen_s 95258->95259 95260 e52db2 GetLongPathNameW 95259->95260 95261 e56b57 22 API calls 95260->95261 95262 e52dda 95261->95262 95263 e53598 95262->95263 95264 e5a961 22 API calls 95263->95264 95265 e535aa 95264->95265 95266 e53aa2 23 API calls 95265->95266 95267 e535b5 95266->95267 95268 e535c0 95267->95268 95274 e932eb 95267->95274 95317 e5515f 95268->95317 95273 e9330d 95274->95273 95329 e6ce60 41 API calls 95274->95329 95275 e535df 95275->95245 95330 e54ecb 95276->95330 95279 e93833 95352 ec2cf9 95279->95352 95281 e54ecb 94 API calls 95283 e544e1 95281->95283 95282 e93848 95284 e93869 95282->95284 95285 e9384c 95282->95285 95283->95279 95286 e544e9 95283->95286 95290 e6fe0b 22 API calls 95284->95290 95379 e54f39 95285->95379 95287 e544f5 95286->95287 95288 e93854 95286->95288 95378 e5940c 136 API calls 2 library calls 95287->95378 95385 ebda5a 82 API calls 95288->95385 95304 e938ae 95290->95304 95293 e52e31 95294 e93862 95294->95284 95295 e54f39 68 API calls 95298 e93a5f 95295->95298 95298->95295 95391 eb989b 82 API calls __wsopen_s 95298->95391 95301 e59cb3 22 API calls 95301->95304 95304->95298 95304->95301 95386 eb967e 22 API calls __fread_nolock 95304->95386 95387 eb95ad 42 API calls _wcslen 95304->95387 95388 ec0b5a 22 API calls 95304->95388 95389 e5a4a1 22 API calls __fread_nolock 95304->95389 95390 e53ff7 22 API calls 95304->95390 95306 e53aaf GetFullPathNameW 95305->95306 95306->95251 95306->95252 95308 e537ae 95307->95308 95309 e593b2 22 API calls 95308->95309 95310 e52e12 95309->95310 95310->95258 95312 e5a6d0 95311->95312 95313 e5a6dd 95311->95313 95312->95255 95314 e6fddb 22 API calls 95313->95314 95315 e5a6e7 95314->95315 95316 e6fe0b 22 API calls 95315->95316 95316->95312 95319 e5516e 95317->95319 95322 e5518f __fread_nolock 95317->95322 95318 e6fddb 22 API calls 95321 e535cc 95318->95321 95320 e6fe0b 22 API calls 95319->95320 95320->95322 95323 e535f3 95321->95323 95322->95318 95324 e53624 __fread_nolock 95323->95324 95325 e53605 95323->95325 95326 e6fddb 22 API calls 95324->95326 95327 e6fe0b 22 API calls 95325->95327 95328 e5363b 95326->95328 95327->95324 95328->95275 95329->95274 95392 e54e90 LoadLibraryA 95330->95392 95335 e54ef6 LoadLibraryExW 95400 e54e59 LoadLibraryA 95335->95400 95336 e93ccf 95337 e54f39 68 API calls 95336->95337 95339 e93cd6 95337->95339 95341 e54e59 3 API calls 95339->95341 95343 e93cde 95341->95343 95422 e550f5 95343->95422 95344 e54f20 95344->95343 95345 e54f2c 95344->95345 95347 e54f39 68 API calls 95345->95347 95348 e544cd 95347->95348 95348->95279 95348->95281 95351 e93d05 95353 ec2d15 95352->95353 95354 e5511f 64 API calls 95353->95354 95355 ec2d29 95354->95355 95572 ec2e66 95355->95572 95358 e550f5 40 API calls 95359 ec2d56 95358->95359 95360 e550f5 40 API calls 95359->95360 95361 ec2d66 95360->95361 95362 e550f5 40 API calls 95361->95362 95363 ec2d81 95362->95363 95364 e550f5 40 API calls 95363->95364 95365 ec2d9c 95364->95365 95366 e5511f 64 API calls 95365->95366 95367 ec2db3 95366->95367 95368 e7ea0c ___std_exception_copy 21 API calls 95367->95368 95369 ec2dba 95368->95369 95370 e7ea0c ___std_exception_copy 21 API calls 95369->95370 95371 ec2dc4 95370->95371 95372 e550f5 40 API calls 95371->95372 95373 ec2dd8 95372->95373 95374 ec28fe 27 API calls 95373->95374 95376 ec2dee 95374->95376 95375 ec2d3f 95375->95282 95376->95375 95578 ec22ce 79 API calls 95376->95578 95378->95293 95380 e54f43 95379->95380 95381 e54f4a 95379->95381 95579 e7e678 95380->95579 95383 e54f59 95381->95383 95384 e54f6a FreeLibrary 95381->95384 95383->95288 95384->95383 95385->95294 95386->95304 95387->95304 95388->95304 95389->95304 95390->95304 95391->95298 95393 e54ec6 95392->95393 95394 e54ea8 GetProcAddress 95392->95394 95397 e7e5eb 95393->95397 95395 e54eb8 95394->95395 95395->95393 95396 e54ebf FreeLibrary 95395->95396 95396->95393 95430 e7e52a 95397->95430 95399 e54eea 95399->95335 95399->95336 95401 e54e8d 95400->95401 95402 e54e6e GetProcAddress 95400->95402 95405 e54f80 95401->95405 95403 e54e7e 95402->95403 95403->95401 95404 e54e86 FreeLibrary 95403->95404 95404->95401 95406 e6fe0b 22 API calls 95405->95406 95407 e54f95 95406->95407 95498 e55722 95407->95498 95409 e54fa1 __fread_nolock 95410 e550a5 95409->95410 95411 e93d1d 95409->95411 95421 e54fdc 95409->95421 95501 e542a2 CreateStreamOnHGlobal 95410->95501 95512 ec304d 74 API calls 95411->95512 95414 e93d22 95416 e5511f 64 API calls 95414->95416 95415 e550f5 40 API calls 95415->95421 95417 e93d45 95416->95417 95418 e550f5 40 API calls 95417->95418 95419 e5506e messages 95418->95419 95419->95344 95421->95414 95421->95415 95421->95419 95507 e5511f 95421->95507 95423 e55107 95422->95423 95424 e93d70 95422->95424 95534 e7e8c4 95423->95534 95427 ec28fe 95555 ec274e 95427->95555 95429 ec2919 95429->95351 95433 e7e536 ___DestructExceptionObject 95430->95433 95431 e7e544 95455 e7f2d9 20 API calls __dosmaperr 95431->95455 95433->95431 95435 e7e574 95433->95435 95434 e7e549 95456 e827ec 26 API calls pre_c_initialization 95434->95456 95437 e7e586 95435->95437 95438 e7e579 95435->95438 95447 e88061 95437->95447 95457 e7f2d9 20 API calls __dosmaperr 95438->95457 95441 e7e58f 95442 e7e595 95441->95442 95443 e7e5a2 95441->95443 95458 e7f2d9 20 API calls __dosmaperr 95442->95458 95459 e7e5d4 LeaveCriticalSection __fread_nolock 95443->95459 95445 e7e554 __fread_nolock 95445->95399 95448 e8806d ___DestructExceptionObject 95447->95448 95460 e82f5e EnterCriticalSection 95448->95460 95450 e8807b 95461 e880fb 95450->95461 95454 e880ac __fread_nolock 95454->95441 95455->95434 95456->95445 95457->95445 95458->95445 95459->95445 95460->95450 95468 e8811e 95461->95468 95462 e88088 95474 e880b7 95462->95474 95463 e88177 95479 e84c7d 95463->95479 95468->95462 95468->95463 95477 e7918d EnterCriticalSection 95468->95477 95478 e791a1 LeaveCriticalSection 95468->95478 95469 e88189 95469->95462 95492 e83405 11 API calls 2 library calls 95469->95492 95472 e881a8 95493 e7918d EnterCriticalSection 95472->95493 95497 e82fa6 LeaveCriticalSection 95474->95497 95476 e880be 95476->95454 95477->95468 95478->95468 95484 e84c8a pre_c_initialization 95479->95484 95480 e84cca 95495 e7f2d9 20 API calls __dosmaperr 95480->95495 95481 e84cb5 RtlAllocateHeap 95482 e84cc8 95481->95482 95481->95484 95486 e829c8 95482->95486 95484->95480 95484->95481 95494 e74ead 7 API calls 2 library calls 95484->95494 95487 e829fc _free 95486->95487 95488 e829d3 RtlFreeHeap 95486->95488 95487->95469 95488->95487 95489 e829e8 95488->95489 95496 e7f2d9 20 API calls __dosmaperr 95489->95496 95491 e829ee GetLastError 95491->95487 95492->95472 95493->95462 95494->95484 95495->95482 95496->95491 95497->95476 95499 e6fddb 22 API calls 95498->95499 95500 e55734 95499->95500 95500->95409 95502 e542bc FindResourceExW 95501->95502 95506 e542d9 95501->95506 95503 e935ba LoadResource 95502->95503 95502->95506 95504 e935cf SizeofResource 95503->95504 95503->95506 95505 e935e3 LockResource 95504->95505 95504->95506 95505->95506 95506->95421 95508 e93d90 95507->95508 95509 e5512e 95507->95509 95513 e7ece3 95509->95513 95512->95414 95516 e7eaaa 95513->95516 95515 e5513c 95515->95421 95518 e7eab6 ___DestructExceptionObject 95516->95518 95517 e7eac2 95529 e7f2d9 20 API calls __dosmaperr 95517->95529 95518->95517 95519 e7eae8 95518->95519 95531 e7918d EnterCriticalSection 95519->95531 95522 e7eac7 95530 e827ec 26 API calls pre_c_initialization 95522->95530 95523 e7eaf4 95532 e7ec0a 62 API calls 2 library calls 95523->95532 95526 e7eb08 95533 e7eb27 LeaveCriticalSection __fread_nolock 95526->95533 95528 e7ead2 __fread_nolock 95528->95515 95529->95522 95530->95528 95531->95523 95532->95526 95533->95528 95537 e7e8e1 95534->95537 95536 e55118 95536->95427 95538 e7e8ed ___DestructExceptionObject 95537->95538 95539 e7e925 __fread_nolock 95538->95539 95540 e7e900 ___scrt_fastfail 95538->95540 95541 e7e92d 95538->95541 95539->95536 95550 e7f2d9 20 API calls __dosmaperr 95540->95550 95552 e7918d EnterCriticalSection 95541->95552 95543 e7e937 95553 e7e6f8 38 API calls 4 library calls 95543->95553 95546 e7e91a 95551 e827ec 26 API calls pre_c_initialization 95546->95551 95547 e7e94e 95554 e7e96c LeaveCriticalSection __fread_nolock 95547->95554 95550->95546 95551->95539 95552->95543 95553->95547 95554->95539 95558 e7e4e8 95555->95558 95557 ec275d 95557->95429 95561 e7e469 95558->95561 95560 e7e505 95560->95557 95562 e7e478 95561->95562 95564 e7e48c 95561->95564 95569 e7f2d9 20 API calls __dosmaperr 95562->95569 95567 e7e488 __alldvrm 95564->95567 95571 e8333f 11 API calls 2 library calls 95564->95571 95565 e7e47d 95570 e827ec 26 API calls pre_c_initialization 95565->95570 95567->95560 95569->95565 95570->95567 95571->95567 95576 ec2e7a 95572->95576 95573 ec2d3b 95573->95358 95573->95375 95574 e550f5 40 API calls 95574->95576 95575 ec28fe 27 API calls 95575->95576 95576->95573 95576->95574 95576->95575 95577 e5511f 64 API calls 95576->95577 95577->95576 95578->95375 95580 e7e684 ___DestructExceptionObject 95579->95580 95581 e7e695 95580->95581 95582 e7e6aa 95580->95582 95592 e7f2d9 20 API calls __dosmaperr 95581->95592 95591 e7e6a5 __fread_nolock 95582->95591 95594 e7918d EnterCriticalSection 95582->95594 95585 e7e69a 95593 e827ec 26 API calls pre_c_initialization 95585->95593 95587 e7e6c6 95595 e7e602 95587->95595 95589 e7e6d1 95611 e7e6ee LeaveCriticalSection __fread_nolock 95589->95611 95591->95381 95592->95585 95593->95591 95594->95587 95596 e7e624 95595->95596 95597 e7e60f 95595->95597 95603 e7e61f 95596->95603 95614 e7dc0b 95596->95614 95612 e7f2d9 20 API calls __dosmaperr 95597->95612 95600 e7e614 95613 e827ec 26 API calls pre_c_initialization 95600->95613 95603->95589 95607 e7e646 95631 e8862f 95607->95631 95610 e829c8 _free 20 API calls 95610->95603 95611->95591 95612->95600 95613->95603 95615 e7dc1f 95614->95615 95616 e7dc23 95614->95616 95620 e84d7a 95615->95620 95616->95615 95617 e7d955 __fread_nolock 26 API calls 95616->95617 95618 e7dc43 95617->95618 95646 e859be 62 API calls 6 library calls 95618->95646 95621 e84d90 95620->95621 95622 e7e640 95620->95622 95621->95622 95623 e829c8 _free 20 API calls 95621->95623 95624 e7d955 95622->95624 95623->95622 95625 e7d976 95624->95625 95626 e7d961 95624->95626 95625->95607 95647 e7f2d9 20 API calls __dosmaperr 95626->95647 95628 e7d966 95648 e827ec 26 API calls pre_c_initialization 95628->95648 95630 e7d971 95630->95607 95632 e8863e 95631->95632 95633 e88653 95631->95633 95649 e7f2c6 20 API calls __dosmaperr 95632->95649 95635 e8868e 95633->95635 95639 e8867a 95633->95639 95654 e7f2c6 20 API calls __dosmaperr 95635->95654 95636 e88643 95650 e7f2d9 20 API calls __dosmaperr 95636->95650 95651 e88607 95639->95651 95640 e88693 95655 e7f2d9 20 API calls __dosmaperr 95640->95655 95643 e8869b 95656 e827ec 26 API calls pre_c_initialization 95643->95656 95644 e7e64c 95644->95603 95644->95610 95646->95615 95647->95628 95648->95630 95649->95636 95650->95644 95657 e88585 95651->95657 95653 e8862b 95653->95644 95654->95640 95655->95643 95656->95644 95658 e88591 ___DestructExceptionObject 95657->95658 95668 e85147 EnterCriticalSection 95658->95668 95660 e8859f 95661 e885d1 95660->95661 95662 e885c6 95660->95662 95684 e7f2d9 20 API calls __dosmaperr 95661->95684 95669 e886ae 95662->95669 95665 e885cc 95685 e885fb LeaveCriticalSection __wsopen_s 95665->95685 95667 e885ee __fread_nolock 95667->95653 95668->95660 95686 e853c4 95669->95686 95671 e886c4 95699 e85333 21 API calls 3 library calls 95671->95699 95672 e886be 95672->95671 95674 e853c4 __wsopen_s 26 API calls 95672->95674 95683 e886f6 95672->95683 95677 e886ed 95674->95677 95675 e853c4 __wsopen_s 26 API calls 95678 e88702 CloseHandle 95675->95678 95676 e8871c 95679 e8873e 95676->95679 95700 e7f2a3 20 API calls 2 library calls 95676->95700 95680 e853c4 __wsopen_s 26 API calls 95677->95680 95678->95671 95681 e8870e GetLastError 95678->95681 95679->95665 95680->95683 95681->95671 95683->95671 95683->95675 95684->95665 95685->95667 95687 e853d1 95686->95687 95689 e853e6 95686->95689 95701 e7f2c6 20 API calls __dosmaperr 95687->95701 95692 e8540b 95689->95692 95703 e7f2c6 20 API calls __dosmaperr 95689->95703 95691 e853d6 95702 e7f2d9 20 API calls __dosmaperr 95691->95702 95692->95672 95693 e85416 95704 e7f2d9 20 API calls __dosmaperr 95693->95704 95696 e853de 95696->95672 95697 e8541e 95705 e827ec 26 API calls pre_c_initialization 95697->95705 95699->95676 95700->95679 95701->95691 95702->95696 95703->95693 95704->95697 95705->95696 95706 e51cad SystemParametersInfoW 95707 ea2a00 95718 e5d7b0 messages 95707->95718 95708 e5d9d5 95709 e5db11 PeekMessageW 95709->95718 95710 e5d807 GetInputState 95710->95709 95710->95718 95712 ea1cbe TranslateAcceleratorW 95712->95718 95713 e5db73 TranslateMessage DispatchMessageW 95714 e5db8f PeekMessageW 95713->95714 95714->95718 95715 e5da04 timeGetTime 95715->95718 95716 e5dbaf Sleep 95716->95718 95717 ea2b74 Sleep 95729 ea2a51 95717->95729 95718->95708 95718->95709 95718->95710 95718->95712 95718->95713 95718->95714 95718->95715 95718->95716 95718->95717 95720 ea1dda timeGetTime 95718->95720 95718->95729 95739 e5dd50 95718->95739 95746 e61310 95718->95746 95801 e5bf40 95718->95801 95859 e6edf6 95718->95859 95864 e5dfd0 348 API calls 3 library calls 95718->95864 95865 e6e551 timeGetTime 95718->95865 95867 ec3a2a 23 API calls 95718->95867 95868 e5ec40 95718->95868 95892 ec359c 82 API calls __wsopen_s 95718->95892 95866 e6e300 23 API calls 95720->95866 95724 ea2c0b GetExitCodeProcess 95727 ea2c21 WaitForSingleObject 95724->95727 95728 ea2c37 CloseHandle 95724->95728 95725 ee29bf GetForegroundWindow 95725->95729 95727->95718 95727->95728 95728->95729 95729->95708 95729->95718 95729->95724 95729->95725 95730 ea2ca9 Sleep 95729->95730 95893 ed5658 23 API calls 95729->95893 95894 ebe97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95729->95894 95895 e6e551 timeGetTime 95729->95895 95896 ebd4dc 47 API calls 95729->95896 95730->95718 95740 e5dd83 95739->95740 95741 e5dd6f 95739->95741 95929 ec359c 82 API calls __wsopen_s 95740->95929 95897 e5d260 95741->95897 95743 e5dd7a 95743->95718 95745 ea2f75 95745->95745 95747 e61376 95746->95747 95748 e617b0 95746->95748 95750 e61390 95747->95750 95751 ea6331 95747->95751 95978 e70242 5 API calls __Init_thread_wait 95748->95978 95754 e61940 9 API calls 95750->95754 95989 ed709c 348 API calls 95751->95989 95753 e617ba 95759 e617fb 95753->95759 95979 e59cb3 95753->95979 95755 e613a0 95754->95755 95757 e61940 9 API calls 95755->95757 95758 e613b6 95757->95758 95758->95759 95760 e613ec 95758->95760 95761 e6182c 95759->95761 95762 ea633d 95759->95762 95760->95762 95785 e61408 __fread_nolock 95760->95785 95986 e5aceb 23 API calls messages 95761->95986 95990 ec359c 82 API calls __wsopen_s 95762->95990 95763 e617d4 95985 e701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95763->95985 95766 e61839 95987 e6d217 348 API calls 95766->95987 95769 ea636e 95991 ec359c 82 API calls __wsopen_s 95769->95991 95770 e6152f 95772 e6153c 95770->95772 95773 ea63d1 95770->95773 95775 e61940 9 API calls 95772->95775 95993 ed5745 54 API calls _wcslen 95773->95993 95777 e61549 95775->95777 95776 e6fddb 22 API calls 95776->95785 95778 ea64fa 95777->95778 95781 e61940 9 API calls 95777->95781 95789 ea6369 95778->95789 95995 ec359c 82 API calls __wsopen_s 95778->95995 95779 e61872 95988 e6faeb 23 API calls 95779->95988 95780 e6fe0b 22 API calls 95780->95785 95787 e61563 95781->95787 95784 e5ec40 348 API calls 95784->95785 95785->95766 95785->95769 95785->95770 95785->95776 95785->95780 95785->95784 95786 ea63b2 95785->95786 95785->95789 95992 ec359c 82 API calls __wsopen_s 95786->95992 95787->95778 95792 e615c7 messages 95787->95792 95994 e5a8c7 22 API calls __fread_nolock 95787->95994 95789->95718 95791 e61940 9 API calls 95791->95792 95792->95778 95792->95779 95792->95789 95792->95791 95795 e6167b messages 95792->95795 95937 edab67 95792->95937 95940 e6f645 95792->95940 95947 eda67c CreateToolhelp32Snapshot Process32FirstW 95792->95947 95967 edabf7 95792->95967 95972 ec5c5a 95792->95972 95793 e6171d 95793->95718 95795->95793 95977 e6ce17 22 API calls messages 95795->95977 96260 e5adf0 95801->96260 95803 e5bf9d 95804 ea04b6 95803->95804 95805 e5bfa9 95803->95805 96279 ec359c 82 API calls __wsopen_s 95804->96279 95806 ea04c6 95805->95806 95807 e5c01e 95805->95807 96280 ec359c 82 API calls __wsopen_s 95806->96280 96265 e5ac91 95807->96265 95811 eb7120 22 API calls 95855 e5c039 __fread_nolock messages 95811->95855 95813 e5c7da 95816 e6fe0b 22 API calls 95813->95816 95821 e5c808 __fread_nolock 95816->95821 95817 ea04f5 95822 ea055a 95817->95822 96281 e6d217 348 API calls 95817->96281 95826 e6fe0b 22 API calls 95821->95826 95844 e5c603 95822->95844 96282 ec359c 82 API calls __wsopen_s 95822->96282 95823 e5ec40 348 API calls 95823->95855 95824 e5af8a 22 API calls 95824->95855 95825 ea091a 96292 ec3209 23 API calls 95825->96292 95856 e5c350 __fread_nolock messages 95826->95856 95829 ea08a5 95830 e5ec40 348 API calls 95829->95830 95832 ea08cf 95830->95832 95832->95844 96290 e5a81b 41 API calls 95832->96290 95833 ea0591 96283 ec359c 82 API calls __wsopen_s 95833->96283 95834 ea08f6 96291 ec359c 82 API calls __wsopen_s 95834->96291 95838 e5bbe0 40 API calls 95838->95855 95841 e5c237 95842 e5c253 95841->95842 96293 e5a8c7 22 API calls __fread_nolock 95841->96293 95845 ea0976 95842->95845 95849 e5c297 messages 95842->95849 95844->95718 96294 e5aceb 23 API calls messages 95845->96294 95848 ea09bf 95848->95844 96295 ec359c 82 API calls __wsopen_s 95848->96295 95849->95848 96276 e5aceb 23 API calls messages 95849->96276 95850 e6fddb 22 API calls 95850->95855 95852 e5c335 95852->95848 95853 e5c342 95852->95853 96277 e5a704 22 API calls messages 95853->96277 95855->95811 95855->95813 95855->95817 95855->95821 95855->95822 95855->95823 95855->95824 95855->95825 95855->95829 95855->95833 95855->95834 95855->95838 95855->95841 95855->95844 95855->95848 95855->95850 95857 e6fe0b 22 API calls 95855->95857 96269 e5ad81 95855->96269 96284 eb7099 22 API calls __fread_nolock 95855->96284 96285 ed5745 54 API calls _wcslen 95855->96285 96286 e6aa42 22 API calls messages 95855->96286 96287 ebf05c 40 API calls 95855->96287 96288 e5a993 41 API calls 95855->96288 96289 e5aceb 23 API calls messages 95855->96289 95858 e5c3ac 95856->95858 96278 e6ce17 22 API calls messages 95856->96278 95857->95855 95858->95718 95860 e6ee09 95859->95860 95862 e6ee12 95859->95862 95860->95718 95861 e6ee36 IsDialogMessageW 95861->95860 95861->95862 95862->95860 95862->95861 95863 eaefaf GetClassLongW 95862->95863 95863->95861 95863->95862 95864->95718 95865->95718 95866->95718 95867->95718 95876 e5ec76 messages 95868->95876 95869 e70242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95869->95876 95870 e701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95870->95876 95871 ea4beb 96312 ec359c 82 API calls __wsopen_s 95871->96312 95872 e6fddb 22 API calls 95872->95876 95873 e5fef7 95885 e5ed9d messages 95873->95885 96308 e5a8c7 22 API calls __fread_nolock 95873->96308 95876->95869 95876->95870 95876->95871 95876->95872 95876->95873 95877 ea4600 95876->95877 95878 ea4b0b 95876->95878 95879 e5a8c7 22 API calls 95876->95879 95876->95885 95886 e5a961 22 API calls 95876->95886 95887 e5fbe3 95876->95887 95889 e700a3 29 API calls pre_c_initialization 95876->95889 95891 e5f3ae messages 95876->95891 96305 e601e0 348 API calls 2 library calls 95876->96305 96306 e606a0 41 API calls messages 95876->96306 95877->95885 96307 e5a8c7 22 API calls __fread_nolock 95877->96307 96310 ec359c 82 API calls __wsopen_s 95878->96310 95879->95876 95885->95718 95886->95876 95887->95885 95888 ea4bdc 95887->95888 95887->95891 96311 ec359c 82 API calls __wsopen_s 95888->96311 95889->95876 95891->95885 96309 ec359c 82 API calls __wsopen_s 95891->96309 95892->95718 95893->95729 95894->95729 95895->95729 95896->95729 95898 e5ec40 348 API calls 95897->95898 95900 e5d29d 95898->95900 95899 e5d30b messages 95899->95743 95900->95899 95901 e5d6d5 95900->95901 95903 e5d3c3 95900->95903 95908 e5d4b8 95900->95908 95914 ea1bc4 95900->95914 95917 e6fddb 22 API calls 95900->95917 95924 e5d429 __fread_nolock messages 95900->95924 95901->95899 95912 e6fe0b 22 API calls 95901->95912 95903->95901 95905 e5d3ce 95903->95905 95904 e5d5ff 95906 e5d614 95904->95906 95907 ea1bb5 95904->95907 95909 e6fddb 22 API calls 95905->95909 95910 e6fddb 22 API calls 95906->95910 95935 ed5705 23 API calls 95907->95935 95913 e6fe0b 22 API calls 95908->95913 95916 e5d3d5 __fread_nolock 95909->95916 95922 e5d46a 95910->95922 95912->95916 95913->95924 95936 ec359c 82 API calls __wsopen_s 95914->95936 95915 e6fddb 22 API calls 95918 e5d3f6 95915->95918 95916->95915 95916->95918 95917->95900 95918->95924 95930 e5bec0 348 API calls 95918->95930 95920 ea1ba4 95934 ec359c 82 API calls __wsopen_s 95920->95934 95922->95743 95924->95904 95924->95920 95924->95922 95925 ea1b7f 95924->95925 95927 ea1b5d 95924->95927 95931 e51f6f 348 API calls 95924->95931 95933 ec359c 82 API calls __wsopen_s 95925->95933 95932 ec359c 82 API calls __wsopen_s 95927->95932 95929->95745 95930->95924 95931->95924 95932->95922 95933->95922 95934->95922 95935->95914 95936->95899 95996 edaff9 95937->95996 95941 e5b567 39 API calls 95940->95941 95942 e6f659 95941->95942 95943 eaf2dc Sleep 95942->95943 95944 e6f661 timeGetTime 95942->95944 95945 e5b567 39 API calls 95944->95945 95946 e6f677 95945->95946 95946->95792 95954 eda6c3 95947->95954 95948 e5a961 22 API calls 95948->95954 95949 e59cb3 22 API calls 95949->95954 95952 e57510 53 API calls 95952->95954 95954->95948 95954->95949 95954->95952 95956 eda796 Process32NextW 95954->95956 96151 e5525f 95954->96151 96193 e56350 95954->96193 96208 e6ce60 41 API calls 95954->96208 96209 edb574 22 API calls __fread_nolock 95954->96209 95956->95954 95957 eda7aa CloseHandle 95956->95957 96202 e563eb 95957->96202 95961 eda7cd 96211 e604f0 22 API calls 95961->96211 95963 e604f0 22 API calls 95966 eda7d9 95963->95966 95964 eda87d 95964->95792 95966->95963 95966->95964 96212 e562b5 22 API calls 95966->96212 95968 edaff9 217 API calls 95967->95968 95970 edac0c 95968->95970 95969 edac54 95969->95792 95970->95969 96254 e5aceb 23 API calls messages 95970->96254 95973 e57510 53 API calls 95972->95973 95974 ec5c6d 95973->95974 96255 ebdbbe lstrlenW 95974->96255 95976 ec5c77 95976->95792 95977->95795 95978->95753 95980 e59cc2 _wcslen 95979->95980 95981 e6fe0b 22 API calls 95980->95981 95982 e59cea __fread_nolock 95981->95982 95983 e6fddb 22 API calls 95982->95983 95984 e59d00 95983->95984 95984->95763 95985->95759 95986->95766 95987->95779 95988->95779 95989->95762 95990->95789 95991->95789 95992->95789 95993->95787 95994->95792 95995->95789 95997 edb01d ___scrt_fastfail 95996->95997 95998 edb058 95997->95998 95999 edb094 95997->95999 96117 e5b567 95998->96117 96003 e5b567 39 API calls 95999->96003 96005 edb08b 95999->96005 96001 edb063 96001->96005 96009 e5b567 39 API calls 96001->96009 96002 edb0ed 96087 e57510 96002->96087 96004 edb0a5 96003->96004 96008 e5b567 39 API calls 96004->96008 96005->96002 96010 e5b567 39 API calls 96005->96010 96008->96005 96012 edb078 96009->96012 96010->96002 96014 e5b567 39 API calls 96012->96014 96013 edb115 96015 edb11f 96013->96015 96016 edb1d8 96013->96016 96014->96005 96017 e57510 53 API calls 96015->96017 96018 edb20a GetCurrentDirectoryW 96016->96018 96021 e57510 53 API calls 96016->96021 96019 edb130 96017->96019 96020 e6fe0b 22 API calls 96018->96020 96022 e57620 22 API calls 96019->96022 96023 edb22f GetCurrentDirectoryW 96020->96023 96024 edb1ef 96021->96024 96025 edb13a 96022->96025 96026 edb23c 96023->96026 96027 e57620 22 API calls 96024->96027 96029 e57510 53 API calls 96025->96029 96031 edb275 96026->96031 96122 e59c6e 22 API calls 96026->96122 96028 edb1f9 _wcslen 96027->96028 96028->96018 96028->96031 96030 edb14b 96029->96030 96032 e57620 22 API calls 96030->96032 96036 edb28b 96031->96036 96037 edb287 96031->96037 96034 edb155 96032->96034 96038 e57510 53 API calls 96034->96038 96035 edb255 96123 e59c6e 22 API calls 96035->96123 96125 ec07c0 10 API calls 96036->96125 96044 edb2f8 96037->96044 96045 edb39a CreateProcessW 96037->96045 96041 edb166 96038->96041 96046 e57620 22 API calls 96041->96046 96042 edb265 96124 e59c6e 22 API calls 96042->96124 96043 edb294 96126 ec06e6 10 API calls 96043->96126 96128 eb11c8 39 API calls 96044->96128 96064 edb32f _wcslen 96045->96064 96050 edb170 96046->96050 96051 edb1a6 GetSystemDirectoryW 96050->96051 96054 e57510 53 API calls 96050->96054 96056 e6fe0b 22 API calls 96051->96056 96052 edb2aa 96127 ec05a7 8 API calls 96052->96127 96053 edb2fd 96057 edb32a 96053->96057 96058 edb323 96053->96058 96060 edb187 96054->96060 96063 edb1cb GetSystemDirectoryW 96056->96063 96130 eb14ce 6 API calls 96057->96130 96129 eb1201 128 API calls 2 library calls 96058->96129 96066 e57620 22 API calls 96060->96066 96062 edb2d0 96062->96037 96063->96026 96067 edb42f CloseHandle 96064->96067 96068 edb3d6 GetLastError 96064->96068 96065 edb328 96065->96064 96069 edb191 _wcslen 96066->96069 96070 edb43f 96067->96070 96078 edb49a 96067->96078 96077 edb41a 96068->96077 96069->96026 96069->96051 96072 edb446 CloseHandle 96070->96072 96073 edb451 96070->96073 96072->96073 96075 edb458 CloseHandle 96073->96075 96076 edb463 96073->96076 96074 edb4a6 96074->96077 96075->96076 96079 edb46a CloseHandle 96076->96079 96080 edb475 96076->96080 96114 ec0175 96077->96114 96078->96074 96083 edb4d2 CloseHandle 96078->96083 96079->96080 96131 ec09d9 34 API calls 96080->96131 96083->96077 96085 edb486 96132 edb536 25 API calls 96085->96132 96088 e57525 96087->96088 96089 e57522 96087->96089 96090 e5752d 96088->96090 96091 e5755b 96088->96091 96110 e57620 96089->96110 96133 e751c6 26 API calls 96090->96133 96093 e950f6 96091->96093 96094 e5756d 96091->96094 96101 e9500f 96091->96101 96136 e75183 26 API calls 96093->96136 96134 e6fb21 51 API calls 96094->96134 96095 e5753d 96100 e6fddb 22 API calls 96095->96100 96098 e9510e 96098->96098 96102 e57547 96100->96102 96104 e6fe0b 22 API calls 96101->96104 96105 e95088 96101->96105 96103 e59cb3 22 API calls 96102->96103 96103->96089 96107 e95058 96104->96107 96135 e6fb21 51 API calls 96105->96135 96106 e6fddb 22 API calls 96108 e9507f 96106->96108 96107->96106 96109 e59cb3 22 API calls 96108->96109 96109->96105 96111 e5762a _wcslen 96110->96111 96112 e6fe0b 22 API calls 96111->96112 96113 e5763f 96112->96113 96113->96013 96137 ec030f 96114->96137 96118 e5b578 96117->96118 96119 e5b57f 96117->96119 96118->96119 96150 e762d1 39 API calls _strftime 96118->96150 96119->96001 96121 e5b5c2 96121->96001 96122->96035 96123->96042 96124->96031 96125->96043 96126->96052 96127->96062 96128->96053 96129->96065 96130->96064 96131->96085 96132->96078 96133->96095 96134->96095 96135->96093 96136->96098 96138 ec0329 96137->96138 96139 ec0321 CloseHandle 96137->96139 96140 ec032e CloseHandle 96138->96140 96141 ec0336 96138->96141 96139->96138 96140->96141 96142 ec033b CloseHandle 96141->96142 96143 ec0343 96141->96143 96142->96143 96144 ec0348 CloseHandle 96143->96144 96145 ec0350 96143->96145 96144->96145 96146 ec035d 96145->96146 96147 ec0355 CloseHandle 96145->96147 96148 ec017d 96146->96148 96149 ec0362 CloseHandle 96146->96149 96147->96146 96148->95792 96149->96148 96150->96121 96152 e5a961 22 API calls 96151->96152 96153 e55275 96152->96153 96154 e5a961 22 API calls 96153->96154 96155 e5527d 96154->96155 96156 e5a961 22 API calls 96155->96156 96157 e55285 96156->96157 96158 e5a961 22 API calls 96157->96158 96159 e5528d 96158->96159 96160 e552c1 96159->96160 96161 e93df5 96159->96161 96163 e56d25 22 API calls 96160->96163 96231 e5a8c7 22 API calls __fread_nolock 96161->96231 96165 e552cf 96163->96165 96164 e93dfe 96166 e5a6c3 22 API calls 96164->96166 96167 e593b2 22 API calls 96165->96167 96170 e55304 96166->96170 96168 e552d9 96167->96168 96169 e56d25 22 API calls 96168->96169 96168->96170 96174 e552fa 96169->96174 96171 e55349 96170->96171 96172 e55325 96170->96172 96188 e93e20 96170->96188 96213 e56d25 96171->96213 96172->96171 96226 e54c6d 96172->96226 96176 e593b2 22 API calls 96174->96176 96175 e5535a 96177 e55370 96175->96177 96229 e5a8c7 22 API calls __fread_nolock 96175->96229 96176->96170 96179 e55384 96177->96179 96230 e5a8c7 22 API calls __fread_nolock 96177->96230 96183 e5538f 96179->96183 96233 e5a8c7 22 API calls __fread_nolock 96179->96233 96181 e56b57 22 API calls 96190 e93ee0 96181->96190 96191 e5539a 96183->96191 96234 e5a8c7 22 API calls __fread_nolock 96183->96234 96185 e56d25 22 API calls 96185->96171 96188->96181 96189 e54c6d 22 API calls 96189->96190 96190->96171 96190->96189 96232 e549bd 22 API calls __fread_nolock 96190->96232 96191->95954 96194 e56362 96193->96194 96195 e94a51 96193->96195 96236 e56373 96194->96236 96246 e54a88 22 API calls __fread_nolock 96195->96246 96198 e5636e 96198->95954 96199 e94a5b 96200 e94a67 96199->96200 96247 e5a8c7 22 API calls __fread_nolock 96199->96247 96203 e563f3 96202->96203 96204 e6fddb 22 API calls 96203->96204 96205 e56401 96204->96205 96253 e56a26 22 API calls 96205->96253 96207 e56409 96210 e56a50 22 API calls 96207->96210 96208->95954 96209->95954 96210->95961 96211->95966 96212->95966 96214 e56d34 96213->96214 96215 e56d91 96213->96215 96214->96215 96216 e56d3f 96214->96216 96217 e593b2 22 API calls 96215->96217 96218 e94c9d 96216->96218 96219 e56d5a 96216->96219 96222 e56d62 __fread_nolock 96217->96222 96221 e6fddb 22 API calls 96218->96221 96235 e56f34 22 API calls 96219->96235 96223 e94ca7 96221->96223 96222->96175 96224 e6fe0b 22 API calls 96223->96224 96225 e94cda 96224->96225 96227 e5aec9 22 API calls 96226->96227 96228 e54c78 96227->96228 96228->96171 96228->96185 96229->96177 96230->96179 96231->96164 96232->96190 96233->96183 96234->96191 96235->96222 96238 e56382 96236->96238 96243 e563b6 __fread_nolock 96236->96243 96237 e94a82 96240 e6fddb 22 API calls 96237->96240 96238->96237 96239 e563a9 96238->96239 96238->96243 96248 e5a587 96239->96248 96242 e94a91 96240->96242 96244 e6fe0b 22 API calls 96242->96244 96243->96198 96245 e94ac5 __fread_nolock 96244->96245 96246->96199 96247->96200 96249 e5a59d 96248->96249 96252 e5a598 __fread_nolock 96248->96252 96250 e9f80f 96249->96250 96251 e6fe0b 22 API calls 96249->96251 96251->96252 96252->96243 96253->96207 96254->95969 96256 ebdbdc GetFileAttributesW 96255->96256 96257 ebdc06 96255->96257 96256->96257 96258 ebdbe8 FindFirstFileW 96256->96258 96257->95976 96258->96257 96259 ebdbf9 FindClose 96258->96259 96259->96257 96261 e5ae01 96260->96261 96264 e5ae1c messages 96260->96264 96262 e5aec9 22 API calls 96261->96262 96263 e5ae09 CharUpperBuffW 96262->96263 96263->96264 96264->95803 96266 e5acae 96265->96266 96267 e5acd1 96266->96267 96296 ec359c 82 API calls __wsopen_s 96266->96296 96267->95855 96270 e9fadb 96269->96270 96271 e5ad92 96269->96271 96272 e6fddb 22 API calls 96271->96272 96273 e5ad99 96272->96273 96297 e5adcd 96273->96297 96276->95852 96277->95856 96278->95856 96279->95806 96280->95844 96281->95822 96282->95844 96283->95844 96284->95855 96285->95855 96286->95855 96287->95855 96288->95855 96289->95855 96290->95834 96291->95844 96292->95841 96293->95842 96294->95848 96295->95844 96296->96267 96301 e5addd 96297->96301 96298 e5adb6 96298->95855 96299 e6fddb 22 API calls 96299->96301 96300 e5a961 22 API calls 96300->96301 96301->96298 96301->96299 96301->96300 96303 e5adcd 22 API calls 96301->96303 96304 e5a8c7 22 API calls __fread_nolock 96301->96304 96303->96301 96304->96301 96305->95876 96306->95876 96307->95885 96308->95885 96309->95885 96310->95885 96311->95871 96312->95885 96313 e88402 96318 e881be 96313->96318 96317 e8842a 96323 e881ef try_get_first_available_module 96318->96323 96320 e883ee 96337 e827ec 26 API calls pre_c_initialization 96320->96337 96322 e88343 96322->96317 96330 e90984 96322->96330 96329 e88338 96323->96329 96333 e78e0b 40 API calls 2 library calls 96323->96333 96325 e8838c 96325->96329 96334 e78e0b 40 API calls 2 library calls 96325->96334 96327 e883ab 96327->96329 96335 e78e0b 40 API calls 2 library calls 96327->96335 96329->96322 96336 e7f2d9 20 API calls __dosmaperr 96329->96336 96338 e90081 96330->96338 96332 e9099f 96332->96317 96333->96325 96334->96327 96335->96329 96336->96320 96337->96322 96341 e9008d ___DestructExceptionObject 96338->96341 96339 e9009b 96396 e7f2d9 20 API calls __dosmaperr 96339->96396 96341->96339 96343 e900d4 96341->96343 96342 e900a0 96397 e827ec 26 API calls pre_c_initialization 96342->96397 96349 e9065b 96343->96349 96348 e900aa __fread_nolock 96348->96332 96399 e9042f 96349->96399 96352 e9068d 96431 e7f2c6 20 API calls __dosmaperr 96352->96431 96353 e906a6 96417 e85221 96353->96417 96356 e90692 96432 e7f2d9 20 API calls __dosmaperr 96356->96432 96357 e906ab 96358 e906cb 96357->96358 96359 e906b4 96357->96359 96430 e9039a CreateFileW 96358->96430 96433 e7f2c6 20 API calls __dosmaperr 96359->96433 96363 e906b9 96434 e7f2d9 20 API calls __dosmaperr 96363->96434 96364 e900f8 96398 e90121 LeaveCriticalSection __wsopen_s 96364->96398 96366 e90781 GetFileType 96368 e9078c GetLastError 96366->96368 96369 e907d3 96366->96369 96367 e90756 GetLastError 96436 e7f2a3 20 API calls 2 library calls 96367->96436 96437 e7f2a3 20 API calls 2 library calls 96368->96437 96439 e8516a 21 API calls 3 library calls 96369->96439 96371 e90704 96371->96366 96371->96367 96435 e9039a CreateFileW 96371->96435 96373 e9079a CloseHandle 96373->96356 96375 e907c3 96373->96375 96438 e7f2d9 20 API calls __dosmaperr 96375->96438 96377 e90749 96377->96366 96377->96367 96379 e907f4 96381 e90840 96379->96381 96440 e905ab 72 API calls 4 library calls 96379->96440 96380 e907c8 96380->96356 96385 e9086d 96381->96385 96441 e9014d 72 API calls 4 library calls 96381->96441 96384 e90866 96384->96385 96386 e9087e 96384->96386 96387 e886ae __wsopen_s 29 API calls 96385->96387 96386->96364 96388 e908fc CloseHandle 96386->96388 96387->96364 96442 e9039a CreateFileW 96388->96442 96390 e90927 96391 e90931 GetLastError 96390->96391 96395 e9095d 96390->96395 96443 e7f2a3 20 API calls 2 library calls 96391->96443 96393 e9093d 96444 e85333 21 API calls 3 library calls 96393->96444 96395->96364 96396->96342 96397->96348 96398->96348 96400 e90450 96399->96400 96401 e9046a 96399->96401 96400->96401 96452 e7f2d9 20 API calls __dosmaperr 96400->96452 96445 e903bf 96401->96445 96404 e9045f 96453 e827ec 26 API calls pre_c_initialization 96404->96453 96406 e904a2 96407 e904d1 96406->96407 96454 e7f2d9 20 API calls __dosmaperr 96406->96454 96410 e90524 96407->96410 96456 e7d70d 26 API calls 2 library calls 96407->96456 96410->96352 96410->96353 96411 e9051f 96411->96410 96413 e9059e 96411->96413 96412 e904c6 96455 e827ec 26 API calls pre_c_initialization 96412->96455 96457 e827fc 11 API calls _abort 96413->96457 96416 e905aa 96418 e8522d ___DestructExceptionObject 96417->96418 96460 e82f5e EnterCriticalSection 96418->96460 96420 e8527b 96461 e8532a 96420->96461 96421 e85259 96464 e85000 96421->96464 96422 e85234 96422->96420 96422->96421 96427 e852c7 EnterCriticalSection 96422->96427 96425 e852a4 __fread_nolock 96425->96357 96427->96420 96428 e852d4 LeaveCriticalSection 96427->96428 96428->96422 96430->96371 96431->96356 96432->96364 96433->96363 96434->96356 96435->96377 96436->96356 96437->96373 96438->96380 96439->96379 96440->96381 96441->96384 96442->96390 96443->96393 96444->96395 96446 e903d7 96445->96446 96447 e903f2 96446->96447 96458 e7f2d9 20 API calls __dosmaperr 96446->96458 96447->96406 96449 e90416 96459 e827ec 26 API calls pre_c_initialization 96449->96459 96451 e90421 96451->96406 96452->96404 96453->96401 96454->96412 96455->96407 96456->96411 96457->96416 96458->96449 96459->96451 96460->96422 96472 e82fa6 LeaveCriticalSection 96461->96472 96463 e85331 96463->96425 96465 e84c7d pre_c_initialization 20 API calls 96464->96465 96467 e85012 96465->96467 96466 e8501f 96468 e829c8 _free 20 API calls 96466->96468 96467->96466 96473 e83405 11 API calls 2 library calls 96467->96473 96469 e85071 96468->96469 96469->96420 96471 e85147 EnterCriticalSection 96469->96471 96471->96420 96472->96463 96473->96467 96474 e92402 96477 e51410 96474->96477 96478 e924b8 DestroyWindow 96477->96478 96479 e5144f mciSendStringW 96477->96479 96491 e924c4 96478->96491 96480 e516c6 96479->96480 96481 e5146b 96479->96481 96480->96481 96483 e516d5 UnregisterHotKey 96480->96483 96482 e51479 96481->96482 96481->96491 96510 e5182e 96482->96510 96483->96480 96485 e924d8 96485->96491 96516 e56246 CloseHandle 96485->96516 96486 e924e2 FindClose 96486->96491 96488 e92509 96492 e9252d 96488->96492 96493 e9251c FreeLibrary 96488->96493 96490 e5148e 96490->96492 96500 e5149c 96490->96500 96491->96485 96491->96486 96491->96488 96494 e92541 VirtualFree 96492->96494 96501 e51509 96492->96501 96493->96488 96494->96492 96495 e514f8 CoUninitialize 96495->96501 96496 e92589 96503 e92598 messages 96496->96503 96517 ec32eb 6 API calls messages 96496->96517 96497 e51514 96498 e51524 96497->96498 96514 e51944 VirtualFreeEx CloseHandle 96498->96514 96500->96495 96501->96496 96501->96497 96506 e92627 96503->96506 96518 eb64d4 22 API calls messages 96503->96518 96505 e5153a 96505->96503 96507 e5161f 96505->96507 96506->96506 96507->96506 96515 e51876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 96507->96515 96509 e516c1 96511 e5183b 96510->96511 96512 e51480 96511->96512 96519 eb702a 22 API calls 96511->96519 96512->96488 96512->96490 96514->96505 96515->96509 96516->96485 96517->96496 96518->96503 96519->96511 96520 e92ba5 96521 e52b25 96520->96521 96522 e92baf 96520->96522 96548 e52b83 7 API calls 96521->96548 96566 e53a5a 96522->96566 96525 e92bb8 96528 e59cb3 22 API calls 96525->96528 96530 e92bc6 96528->96530 96529 e52b2f 96538 e52b44 96529->96538 96552 e53837 96529->96552 96531 e92bce 96530->96531 96532 e92bf5 96530->96532 96573 e533c6 96531->96573 96535 e533c6 22 API calls 96532->96535 96546 e92bf1 GetForegroundWindow ShellExecuteW 96535->96546 96537 e52b5f 96545 e52b66 SetCurrentDirectoryW 96537->96545 96538->96537 96562 e530f2 96538->96562 96539 e56350 22 API calls 96542 e92be7 96539->96542 96544 e533c6 22 API calls 96542->96544 96543 e92c26 96543->96537 96544->96546 96547 e52b7a 96545->96547 96546->96543 96582 e52cd4 7 API calls 96548->96582 96550 e52b2a 96551 e52c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96550->96551 96551->96529 96553 e53862 ___scrt_fastfail 96552->96553 96583 e54212 96553->96583 96556 e538e8 96558 e53906 Shell_NotifyIconW 96556->96558 96559 e93386 Shell_NotifyIconW 96556->96559 96587 e53923 96558->96587 96561 e5391c 96561->96538 96563 e53154 96562->96563 96564 e53104 ___scrt_fastfail 96562->96564 96563->96537 96565 e53123 Shell_NotifyIconW 96564->96565 96565->96563 96567 e91f50 __wsopen_s 96566->96567 96568 e53a67 GetModuleFileNameW 96567->96568 96569 e59cb3 22 API calls 96568->96569 96570 e53a8d 96569->96570 96571 e53aa2 23 API calls 96570->96571 96572 e53a97 96571->96572 96572->96525 96574 e930bb 96573->96574 96575 e533dd 96573->96575 96577 e6fddb 22 API calls 96574->96577 96616 e533ee 96575->96616 96579 e930c5 _wcslen 96577->96579 96578 e533e8 96578->96539 96580 e6fe0b 22 API calls 96579->96580 96581 e930fe __fread_nolock 96580->96581 96582->96550 96584 e538b7 96583->96584 96585 e935a4 96583->96585 96584->96556 96609 ebc874 42 API calls _strftime 96584->96609 96585->96584 96586 e935ad DestroyIcon 96585->96586 96586->96584 96588 e53a13 96587->96588 96589 e5393f 96587->96589 96588->96561 96610 e56270 96589->96610 96592 e93393 LoadStringW 96595 e933ad 96592->96595 96593 e5395a 96594 e56b57 22 API calls 96593->96594 96596 e5396f 96594->96596 96604 e53994 ___scrt_fastfail 96595->96604 96615 e5a8c7 22 API calls __fread_nolock 96595->96615 96597 e933c9 96596->96597 96598 e5397c 96596->96598 96601 e56350 22 API calls 96597->96601 96598->96595 96600 e53986 96598->96600 96602 e56350 22 API calls 96600->96602 96603 e933d7 96601->96603 96602->96604 96603->96604 96605 e533c6 22 API calls 96603->96605 96606 e539f9 Shell_NotifyIconW 96604->96606 96607 e933f9 96605->96607 96606->96588 96608 e533c6 22 API calls 96607->96608 96608->96604 96609->96556 96611 e6fe0b 22 API calls 96610->96611 96612 e56295 96611->96612 96613 e6fddb 22 API calls 96612->96613 96614 e5394d 96613->96614 96614->96592 96614->96593 96615->96604 96617 e533fe _wcslen 96616->96617 96618 e9311d 96617->96618 96619 e53411 96617->96619 96620 e6fddb 22 API calls 96618->96620 96621 e5a587 22 API calls 96619->96621 96623 e93127 96620->96623 96622 e5341e __fread_nolock 96621->96622 96622->96578 96624 e6fe0b 22 API calls 96623->96624 96625 e93157 __fread_nolock 96624->96625 96626 e52e37 96627 e5a961 22 API calls 96626->96627 96628 e52e4d 96627->96628 96705 e54ae3 96628->96705 96630 e52e6b 96631 e53a5a 24 API calls 96630->96631 96632 e52e7f 96631->96632 96633 e59cb3 22 API calls 96632->96633 96634 e52e8c 96633->96634 96635 e54ecb 94 API calls 96634->96635 96636 e52ea5 96635->96636 96637 e52ead 96636->96637 96638 e92cb0 96636->96638 96719 e5a8c7 22 API calls __fread_nolock 96637->96719 96639 ec2cf9 80 API calls 96638->96639 96640 e92cc3 96639->96640 96642 e92ccf 96640->96642 96644 e54f39 68 API calls 96640->96644 96646 e54f39 68 API calls 96642->96646 96643 e52ec3 96720 e56f88 22 API calls 96643->96720 96644->96642 96648 e92ce5 96646->96648 96647 e52ecf 96649 e59cb3 22 API calls 96647->96649 96736 e53084 22 API calls 96648->96736 96650 e52edc 96649->96650 96721 e5a81b 41 API calls 96650->96721 96653 e52eec 96655 e59cb3 22 API calls 96653->96655 96654 e92d02 96737 e53084 22 API calls 96654->96737 96657 e52f12 96655->96657 96722 e5a81b 41 API calls 96657->96722 96659 e92d1e 96660 e53a5a 24 API calls 96659->96660 96662 e92d44 96660->96662 96661 e52f21 96665 e5a961 22 API calls 96661->96665 96738 e53084 22 API calls 96662->96738 96664 e92d50 96739 e5a8c7 22 API calls __fread_nolock 96664->96739 96667 e52f3f 96665->96667 96723 e53084 22 API calls 96667->96723 96668 e92d5e 96740 e53084 22 API calls 96668->96740 96671 e52f4b 96724 e74a28 40 API calls 3 library calls 96671->96724 96673 e52f59 96673->96648 96675 e52f63 96673->96675 96674 e92d6d 96741 e5a8c7 22 API calls __fread_nolock 96674->96741 96725 e74a28 40 API calls 3 library calls 96675->96725 96678 e92d83 96742 e53084 22 API calls 96678->96742 96679 e52f6e 96679->96654 96681 e52f78 96679->96681 96726 e74a28 40 API calls 3 library calls 96681->96726 96683 e92d90 96684 e52f83 96684->96659 96685 e52f8d 96684->96685 96727 e74a28 40 API calls 3 library calls 96685->96727 96687 e52f98 96688 e52fdc 96687->96688 96728 e53084 22 API calls 96687->96728 96688->96674 96689 e52fe8 96688->96689 96689->96683 96691 e563eb 22 API calls 96689->96691 96693 e52ff8 96691->96693 96692 e52fbf 96729 e5a8c7 22 API calls __fread_nolock 96692->96729 96731 e56a50 22 API calls 96693->96731 96696 e52fcd 96730 e53084 22 API calls 96696->96730 96697 e53006 96732 e570b0 23 API calls 96697->96732 96702 e53021 96703 e53065 96702->96703 96733 e56f88 22 API calls 96702->96733 96734 e570b0 23 API calls 96702->96734 96735 e53084 22 API calls 96702->96735 96706 e54af0 __wsopen_s 96705->96706 96707 e56b57 22 API calls 96706->96707 96708 e54b22 96706->96708 96707->96708 96709 e54c6d 22 API calls 96708->96709 96717 e54b58 96708->96717 96709->96708 96710 e59cb3 22 API calls 96712 e54c52 96710->96712 96711 e59cb3 22 API calls 96711->96717 96713 e5515f 22 API calls 96712->96713 96716 e54c5e 96713->96716 96714 e54c6d 22 API calls 96714->96717 96715 e5515f 22 API calls 96715->96717 96716->96630 96717->96711 96717->96714 96717->96715 96718 e54c29 96717->96718 96718->96710 96718->96716 96719->96643 96720->96647 96721->96653 96722->96661 96723->96671 96724->96673 96725->96679 96726->96684 96727->96687 96728->96692 96729->96696 96730->96688 96731->96697 96732->96702 96733->96702 96734->96702 96735->96702 96736->96654 96737->96659 96738->96664 96739->96668 96740->96674 96741->96678 96742->96683 96743 e53156 96746 e53170 96743->96746 96747 e53187 96746->96747 96748 e5318c 96747->96748 96749 e531eb 96747->96749 96787 e531e9 96747->96787 96753 e53265 PostQuitMessage 96748->96753 96754 e53199 96748->96754 96751 e92dfb 96749->96751 96752 e531f1 96749->96752 96750 e531d0 DefWindowProcW 96779 e5316a 96750->96779 96801 e518e2 10 API calls 96751->96801 96755 e5321d SetTimer RegisterWindowMessageW 96752->96755 96756 e531f8 96752->96756 96753->96779 96758 e531a4 96754->96758 96759 e92e7c 96754->96759 96763 e53246 CreatePopupMenu 96755->96763 96755->96779 96760 e53201 KillTimer 96756->96760 96761 e92d9c 96756->96761 96764 e92e68 96758->96764 96765 e531ae 96758->96765 96804 ebbf30 34 API calls ___scrt_fastfail 96759->96804 96770 e530f2 Shell_NotifyIconW 96760->96770 96768 e92da1 96761->96768 96769 e92dd7 MoveWindow 96761->96769 96762 e92e1c 96802 e6e499 42 API calls 96762->96802 96763->96779 96791 ebc161 96764->96791 96773 e531b9 96765->96773 96777 e92e4d 96765->96777 96767 e92e8e 96767->96750 96767->96779 96775 e92da7 96768->96775 96776 e92dc6 SetFocus 96768->96776 96769->96779 96778 e53214 96770->96778 96774 e53253 96773->96774 96780 e531c4 96773->96780 96799 e5326f 44 API calls ___scrt_fastfail 96774->96799 96775->96780 96782 e92db0 96775->96782 96776->96779 96777->96750 96803 eb0ad7 22 API calls 96777->96803 96798 e53c50 DeleteObject DestroyWindow 96778->96798 96780->96750 96788 e530f2 Shell_NotifyIconW 96780->96788 96800 e518e2 10 API calls 96782->96800 96785 e53263 96785->96779 96787->96750 96789 e92e41 96788->96789 96790 e53837 49 API calls 96789->96790 96790->96787 96792 ebc179 ___scrt_fastfail 96791->96792 96793 ebc276 96791->96793 96794 e53923 24 API calls 96792->96794 96793->96779 96795 ebc1a0 96794->96795 96796 ebc25f KillTimer SetTimer 96795->96796 96797 ebc251 Shell_NotifyIconW 96795->96797 96796->96793 96797->96796 96798->96779 96799->96785 96800->96779 96801->96762 96802->96780 96803->96787 96804->96767 96805 e51033 96810 e54c91 96805->96810 96809 e51042 96811 e5a961 22 API calls 96810->96811 96812 e54cff 96811->96812 96818 e53af0 96812->96818 96815 e54d9c 96816 e51038 96815->96816 96821 e551f7 22 API calls __fread_nolock 96815->96821 96817 e700a3 29 API calls __onexit 96816->96817 96817->96809 96822 e53b1c 96818->96822 96821->96815 96823 e53b0f 96822->96823 96824 e53b29 96822->96824 96823->96815 96824->96823 96825 e53b30 RegOpenKeyExW 96824->96825 96825->96823 96826 e53b4a RegQueryValueExW 96825->96826 96827 e53b80 RegCloseKey 96826->96827 96828 e53b6b 96826->96828 96827->96823 96828->96827 96829 e5dddc 96832 e5b710 96829->96832 96833 e5b72b 96832->96833 96834 ea00f8 96833->96834 96835 ea0146 96833->96835 96860 e5b750 96833->96860 96838 ea0102 96834->96838 96841 ea010f 96834->96841 96834->96860 96874 ed58a2 348 API calls 2 library calls 96835->96874 96872 ed5d33 348 API calls 96838->96872 96856 e5ba20 96841->96856 96873 ed61d0 348 API calls 2 library calls 96841->96873 96844 ea03d9 96844->96844 96848 ea0322 96878 ed5c0c 82 API calls 96848->96878 96852 e5ba4e 96856->96852 96879 ec359c 82 API calls __wsopen_s 96856->96879 96857 e6d336 40 API calls 96857->96860 96858 e5bbe0 40 API calls 96858->96860 96859 e5ec40 348 API calls 96859->96860 96860->96848 96860->96852 96860->96856 96860->96857 96860->96858 96860->96859 96863 e5a81b 41 API calls 96860->96863 96864 e6d2f0 40 API calls 96860->96864 96865 e6a01b 348 API calls 96860->96865 96866 e70242 5 API calls __Init_thread_wait 96860->96866 96867 e6edcd 22 API calls 96860->96867 96868 e700a3 29 API calls __onexit 96860->96868 96869 e701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96860->96869 96870 e6ee53 82 API calls 96860->96870 96871 e6e5ca 348 API calls 96860->96871 96875 e5aceb 23 API calls messages 96860->96875 96876 eaf6bf 23 API calls 96860->96876 96877 e5a8c7 22 API calls __fread_nolock 96860->96877 96863->96860 96864->96860 96865->96860 96866->96860 96867->96860 96868->96860 96869->96860 96870->96860 96871->96860 96872->96841 96873->96856 96874->96860 96875->96860 96876->96860 96877->96860 96878->96856 96879->96844 96880 e5f7bf 96881 e5fcb6 96880->96881 96882 e5f7d3 96880->96882 96917 e5aceb 23 API calls messages 96881->96917 96884 e5fcc2 96882->96884 96886 e6fddb 22 API calls 96882->96886 96918 e5aceb 23 API calls messages 96884->96918 96887 e5f7e5 96886->96887 96887->96884 96888 e5f83e 96887->96888 96889 e5fd3d 96887->96889 96891 e61310 348 API calls 96888->96891 96907 e5ed9d messages 96888->96907 96919 ec1155 22 API calls 96889->96919 96896 e5ec76 messages 96891->96896 96892 ea4beb 96925 ec359c 82 API calls __wsopen_s 96892->96925 96893 e6fddb 22 API calls 96893->96896 96894 e5fef7 96894->96907 96921 e5a8c7 22 API calls __fread_nolock 96894->96921 96896->96892 96896->96893 96896->96894 96898 ea4600 96896->96898 96899 ea4b0b 96896->96899 96905 e70242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96896->96905 96906 e5a8c7 22 API calls 96896->96906 96896->96907 96908 e5fbe3 96896->96908 96909 e5a961 22 API calls 96896->96909 96912 e700a3 29 API calls pre_c_initialization 96896->96912 96913 e701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96896->96913 96914 e5f3ae messages 96896->96914 96915 e601e0 348 API calls 2 library calls 96896->96915 96916 e606a0 41 API calls messages 96896->96916 96898->96907 96920 e5a8c7 22 API calls __fread_nolock 96898->96920 96923 ec359c 82 API calls __wsopen_s 96899->96923 96905->96896 96906->96896 96908->96907 96910 ea4bdc 96908->96910 96908->96914 96909->96896 96924 ec359c 82 API calls __wsopen_s 96910->96924 96912->96896 96913->96896 96914->96907 96922 ec359c 82 API calls __wsopen_s 96914->96922 96915->96896 96916->96896 96917->96884 96918->96889 96919->96907 96920->96907 96921->96907 96922->96907 96923->96907 96924->96892 96925->96907 96926 e703fb 96927 e70407 ___DestructExceptionObject 96926->96927 96955 e6feb1 96927->96955 96929 e7040e 96930 e70561 96929->96930 96934 e70438 96929->96934 96985 e7083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96930->96985 96932 e70568 96978 e74e52 96932->96978 96942 e70477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96934->96942 96966 e8247d 96934->96966 96940 e70457 96946 e704d8 96942->96946 96981 e74e1a 38 API calls 3 library calls 96942->96981 96944 e704de 96947 e704f3 96944->96947 96974 e70959 96946->96974 96982 e70992 GetModuleHandleW 96947->96982 96949 e704fa 96949->96932 96950 e704fe 96949->96950 96951 e70507 96950->96951 96983 e74df5 28 API calls _abort 96950->96983 96984 e70040 13 API calls 2 library calls 96951->96984 96954 e7050f 96954->96940 96956 e6feba 96955->96956 96987 e70698 IsProcessorFeaturePresent 96956->96987 96958 e6fec6 96988 e72c94 10 API calls 3 library calls 96958->96988 96960 e6fecb 96965 e6fecf 96960->96965 96989 e82317 96960->96989 96963 e6fee6 96963->96929 96965->96929 96967 e82494 96966->96967 96968 e70a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96967->96968 96969 e70451 96968->96969 96969->96940 96970 e82421 96969->96970 96971 e82450 96970->96971 96972 e70a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96971->96972 96973 e82479 96972->96973 96973->96942 97040 e72340 96974->97040 96977 e7097f 96977->96944 97042 e74bcf 96978->97042 96981->96946 96982->96949 96983->96951 96984->96954 96985->96932 96987->96958 96988->96960 96993 e8d1f6 96989->96993 96992 e72cbd 8 API calls 3 library calls 96992->96965 96994 e8d213 96993->96994 96997 e8d20f 96993->96997 96994->96997 96999 e84bfb 96994->96999 96996 e6fed8 96996->96963 96996->96992 97011 e70a8c 96997->97011 97000 e84c07 ___DestructExceptionObject 96999->97000 97018 e82f5e EnterCriticalSection 97000->97018 97002 e84c0e 97019 e850af 97002->97019 97004 e84c1d 97010 e84c2c 97004->97010 97032 e84a8f 29 API calls 97004->97032 97007 e84c27 97033 e84b45 GetStdHandle GetFileType 97007->97033 97009 e84c3d __fread_nolock 97009->96994 97034 e84c48 LeaveCriticalSection _abort 97010->97034 97012 e70a97 IsProcessorFeaturePresent 97011->97012 97013 e70a95 97011->97013 97015 e70c5d 97012->97015 97013->96996 97039 e70c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97015->97039 97017 e70d40 97017->96996 97018->97002 97020 e850bb ___DestructExceptionObject 97019->97020 97021 e850c8 97020->97021 97022 e850df 97020->97022 97036 e7f2d9 20 API calls __dosmaperr 97021->97036 97035 e82f5e EnterCriticalSection 97022->97035 97025 e850cd 97037 e827ec 26 API calls pre_c_initialization 97025->97037 97027 e85117 97038 e8513e LeaveCriticalSection _abort 97027->97038 97028 e850d7 __fread_nolock 97028->97004 97029 e850eb 97029->97027 97031 e85000 __wsopen_s 21 API calls 97029->97031 97031->97029 97032->97007 97033->97010 97034->97009 97035->97029 97036->97025 97037->97028 97038->97028 97039->97017 97041 e7096c GetStartupInfoW 97040->97041 97041->96977 97043 e74bdb FindHandlerForForeignException 97042->97043 97044 e74bf4 97043->97044 97045 e74be2 97043->97045 97066 e82f5e EnterCriticalSection 97044->97066 97081 e74d29 GetModuleHandleW 97045->97081 97048 e74be7 97048->97044 97082 e74d6d GetModuleHandleExW 97048->97082 97049 e74c99 97070 e74cd9 97049->97070 97053 e74c70 97055 e74c88 97053->97055 97060 e82421 _abort 5 API calls 97053->97060 97061 e82421 _abort 5 API calls 97055->97061 97056 e74bfb 97056->97049 97056->97053 97067 e821a8 97056->97067 97057 e74cb6 97073 e74ce8 97057->97073 97058 e74ce2 97090 e91d29 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 97058->97090 97060->97055 97061->97049 97066->97056 97091 e81ee1 97067->97091 97110 e82fa6 LeaveCriticalSection 97070->97110 97072 e74cb2 97072->97057 97072->97058 97111 e8360c 97073->97111 97076 e74d16 97078 e74d6d _abort 8 API calls 97076->97078 97077 e74cf6 GetPEB 97077->97076 97079 e74d06 GetCurrentProcess TerminateProcess 97077->97079 97080 e74d1e ExitProcess 97078->97080 97079->97076 97081->97048 97083 e74d97 GetProcAddress 97082->97083 97084 e74dba 97082->97084 97085 e74dac 97083->97085 97086 e74dc0 FreeLibrary 97084->97086 97087 e74dc9 97084->97087 97085->97084 97086->97087 97088 e70a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97087->97088 97089 e74bf3 97088->97089 97089->97044 97094 e81e90 97091->97094 97093 e81f05 97093->97053 97095 e81e9c ___DestructExceptionObject 97094->97095 97102 e82f5e EnterCriticalSection 97095->97102 97097 e81eaa 97103 e81f31 97097->97103 97101 e81ec8 __fread_nolock 97101->97093 97102->97097 97104 e81f51 97103->97104 97107 e81f59 97103->97107 97105 e70a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97104->97105 97106 e81eb7 97105->97106 97109 e81ed5 LeaveCriticalSection _abort 97106->97109 97107->97104 97108 e829c8 _free 20 API calls 97107->97108 97108->97104 97109->97101 97110->97072 97112 e83631 97111->97112 97113 e83627 97111->97113 97118 e82fd7 5 API calls 2 library calls 97112->97118 97115 e70a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97113->97115 97116 e74cf2 97115->97116 97116->97076 97116->97077 97117 e83648 97117->97113 97118->97117 97119 e51098 97124 e542de 97119->97124 97123 e510a7 97125 e5a961 22 API calls 97124->97125 97126 e542f5 GetVersionExW 97125->97126 97127 e56b57 22 API calls 97126->97127 97128 e54342 97127->97128 97129 e593b2 22 API calls 97128->97129 97141 e54378 97128->97141 97130 e5436c 97129->97130 97132 e537a0 22 API calls 97130->97132 97131 e5441b GetCurrentProcess IsWow64Process 97133 e54437 97131->97133 97132->97141 97134 e5444f LoadLibraryA 97133->97134 97135 e93824 GetSystemInfo 97133->97135 97136 e54460 GetProcAddress 97134->97136 97137 e5449c GetSystemInfo 97134->97137 97136->97137 97139 e54470 GetNativeSystemInfo 97136->97139 97140 e54476 97137->97140 97138 e937df 97139->97140 97142 e5109d 97140->97142 97143 e5447a FreeLibrary 97140->97143 97141->97131 97141->97138 97144 e700a3 29 API calls __onexit 97142->97144 97143->97142 97144->97123 97145 e5105b 97150 e5344d 97145->97150 97147 e5106a 97181 e700a3 29 API calls __onexit 97147->97181 97149 e51074 97151 e5345d __wsopen_s 97150->97151 97152 e5a961 22 API calls 97151->97152 97153 e53513 97152->97153 97154 e53a5a 24 API calls 97153->97154 97155 e5351c 97154->97155 97182 e53357 97155->97182 97158 e533c6 22 API calls 97159 e53535 97158->97159 97160 e5515f 22 API calls 97159->97160 97161 e53544 97160->97161 97162 e5a961 22 API calls 97161->97162 97163 e5354d 97162->97163 97164 e5a6c3 22 API calls 97163->97164 97165 e53556 RegOpenKeyExW 97164->97165 97166 e93176 RegQueryValueExW 97165->97166 97170 e53578 97165->97170 97167 e9320c RegCloseKey 97166->97167 97168 e93193 97166->97168 97167->97170 97180 e9321e _wcslen 97167->97180 97169 e6fe0b 22 API calls 97168->97169 97171 e931ac 97169->97171 97170->97147 97172 e55722 22 API calls 97171->97172 97173 e931b7 RegQueryValueExW 97172->97173 97175 e931d4 97173->97175 97177 e931ee messages 97173->97177 97174 e54c6d 22 API calls 97174->97180 97176 e56b57 22 API calls 97175->97176 97176->97177 97177->97167 97178 e59cb3 22 API calls 97178->97180 97179 e5515f 22 API calls 97179->97180 97180->97170 97180->97174 97180->97178 97180->97179 97181->97149 97183 e91f50 __wsopen_s 97182->97183 97184 e53364 GetFullPathNameW 97183->97184 97185 e53386 97184->97185 97186 e56b57 22 API calls 97185->97186 97187 e533a4 97186->97187 97187->97158 97188 ea3f75 97199 e6ceb1 97188->97199 97190 ea3f8b 97198 ea4006 97190->97198 97208 e6e300 23 API calls 97190->97208 97192 e5bf40 348 API calls 97193 ea4052 97192->97193 97196 ea4a88 97193->97196 97210 ec359c 82 API calls __wsopen_s 97193->97210 97195 ea3fe6 97195->97193 97209 ec1abf 22 API calls 97195->97209 97198->97192 97200 e6ced2 97199->97200 97201 e6cebf 97199->97201 97203 e6ced7 97200->97203 97204 e6cf05 97200->97204 97211 e5aceb 23 API calls messages 97201->97211 97205 e6fddb 22 API calls 97203->97205 97212 e5aceb 23 API calls messages 97204->97212 97207 e6cec9 97205->97207 97207->97190 97208->97195 97209->97198 97210->97196 97211->97207 97212->97207

                                                          Executed Functions

                                                          Function 00E542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 389 e542de-e5434d call e5a961 GetVersionExW call e56b57 394 e54353 389->394 395 e93617-e9362a 389->395 396 e54355-e54357 394->396 397 e9362b-e9362f 395->397 398 e5435d-e543bc call e593b2 call e537a0 396->398 399 e93656 396->399 400 e93631 397->400 401 e93632-e9363e 397->401 418 e937df-e937e6 398->418 419 e543c2-e543c4 398->419 404 e9365d-e93660 399->404 400->401 401->397 403 e93640-e93642 401->403 403->396 406 e93648-e9364f 403->406 407 e5441b-e54435 GetCurrentProcess IsWow64Process 404->407 408 e93666-e936a8 404->408 406->395 410 e93651 406->410 413 e54494-e5449a 407->413 414 e54437 407->414 408->407 411 e936ae-e936b1 408->411 410->399 416 e936db-e936e5 411->416 417 e936b3-e936bd 411->417 415 e5443d-e54449 413->415 414->415 420 e5444f-e5445e LoadLibraryA 415->420 421 e93824-e93828 GetSystemInfo 415->421 425 e936f8-e93702 416->425 426 e936e7-e936f3 416->426 422 e936ca-e936d6 417->422 423 e936bf-e936c5 417->423 427 e937e8 418->427 428 e93806-e93809 418->428 419->404 424 e543ca-e543dd 419->424 429 e54460-e5446e GetProcAddress 420->429 430 e5449c-e544a6 GetSystemInfo 420->430 422->407 423->407 431 e543e3-e543e5 424->431 432 e93726-e9372f 424->432 434 e93715-e93721 425->434 435 e93704-e93710 425->435 426->407 433 e937ee 427->433 436 e9380b-e9381a 428->436 437 e937f4-e937fc 428->437 429->430 439 e54470-e54474 GetNativeSystemInfo 429->439 440 e54476-e54478 430->440 441 e9374d-e93762 431->441 442 e543eb-e543ee 431->442 443 e9373c-e93748 432->443 444 e93731-e93737 432->444 433->437 434->407 435->407 436->433 438 e9381c-e93822 436->438 437->428 438->437 439->440 447 e54481-e54493 440->447 448 e5447a-e5447b FreeLibrary 440->448 445 e9376f-e9377b 441->445 446 e93764-e9376a 441->446 449 e543f4-e5440f 442->449 450 e93791-e93794 442->450 443->407 444->407 445->407 446->407 448->447 452 e54415 449->452 453 e93780-e9378c 449->453 450->407 451 e9379a-e937c1 450->451 454 e937ce-e937da 451->454 455 e937c3-e937c9 451->455 452->407 453->407 454->407 455->407
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 00E5430D
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          • GetCurrentProcess.KERNEL32(?,00EECB64,00000000,?,?), ref: 00E54422
                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00E54429
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E54454
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E54466
                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E54474
                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00E5447B
                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 00E544A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                          • API String ID: 3290436268-3101561225
                                                          • Opcode ID: a52477e19910e4da05885d63780c73f665f8b4f609a41394d1d58a51ee2454aa
                                                          • Instruction ID: f98fd48b5f11c55ca2b824b51edf0ac8b9f62e83d2384ac1ea761d503b5c0066
                                                          • Opcode Fuzzy Hash: a52477e19910e4da05885d63780c73f665f8b4f609a41394d1d58a51ee2454aa
                                                          • Instruction Fuzzy Hash: 01A1C7A290B2CCCFCB31C7B97C441D57FE67B76309B146899D481A7662D2204E4BEB29
                                                          Function 00E542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 793 e542a2-e542ba CreateStreamOnHGlobal 794 e542bc-e542d3 FindResourceExW 793->794 795 e542da-e542dd 793->795 796 e935ba-e935c9 LoadResource 794->796 797 e542d9 794->797 796->797 798 e935cf-e935dd SizeofResource 796->798 797->795 798->797 799 e935e3-e935ee LockResource 798->799 799->797 800 e935f4-e93612 799->800 800->797
                                                          APIs
                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E550AA,?,?,00000000,00000000), ref: 00E542B2
                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E550AA,?,?,00000000,00000000), ref: 00E542C9
                                                          • LoadResource.KERNEL32(?,00000000,?,?,00E550AA,?,?,00000000,00000000,?,?,?,?,?,?,00E54F20), ref: 00E935BE
                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00E550AA,?,?,00000000,00000000,?,?,?,?,?,?,00E54F20), ref: 00E935D3
                                                          • LockResource.KERNEL32(00E550AA,?,?,00E550AA,?,?,00000000,00000000,?,?,?,?,?,?,00E54F20,?), ref: 00E935E6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                          • String ID: SCRIPT
                                                          • API String ID: 3051347437-3967369404
                                                          • Opcode ID: b0fa62dc1585d2b02be6c90194f7c10c218399ded5cc5e7d3f60675976edd75d
                                                          • Instruction ID: e8f5b811d389bccf147cb4e1b8ceb488f8d11f6b8edc0ead0e447b96f793441c
                                                          • Opcode Fuzzy Hash: b0fa62dc1585d2b02be6c90194f7c10c218399ded5cc5e7d3f60675976edd75d
                                                          • Instruction Fuzzy Hash: AD11C274200705BFD7219B66DC88F277BB9EBC9B56F204569F903EA1A0DB71DC468620
                                                          Function 00EBDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 918 ebdbbe-ebdbda lstrlenW 919 ebdbdc-ebdbe6 GetFileAttributesW 918->919 920 ebdc06 918->920 921 ebdc09-ebdc0d 919->921 922 ebdbe8-ebdbf7 FindFirstFileW 919->922 920->921 922->920 923 ebdbf9-ebdc04 FindClose 922->923 923->921
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,"R), ref: 00EBDBCE
                                                          • GetFileAttributesW.KERNELBASE(?), ref: 00EBDBDD
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EBDBEE
                                                          • FindClose.KERNEL32(00000000), ref: 00EBDBFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                          • String ID: "R
                                                          • API String ID: 2695905019-1746183819
                                                          • Opcode ID: 255f00925af83f8a3e69d20d687d920d113bbc3351d42065e7b6b15f5648d5f8
                                                          • Instruction ID: 09cdc589c440359f8bde375824c13c61a9b1955ec85644bc92203f76a894ba38
                                                          • Opcode Fuzzy Hash: 255f00925af83f8a3e69d20d687d920d113bbc3351d42065e7b6b15f5648d5f8
                                                          • Instruction Fuzzy Hash: 4DF0EC3081491D5B82206B7C9C4E4EB7B6C9F05334B204702F935E20F0FBB05D59C9D5
                                                          Function 00E92BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E52B6B
                                                            • Part of subcall function 00E53A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F21418,?,00E52E7F,?,?,?,00000000), ref: 00E53A78
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00F12224), ref: 00E92C10
                                                          • ShellExecuteW.SHELL32(00000000,?,?,00F12224), ref: 00E92C17
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                          • String ID: runas
                                                          • API String ID: 448630720-4000483414
                                                          • Opcode ID: 23405c62be05a35d4ab59d0adb76dc7349b437b0a86a010e0015d9b3d908dabc
                                                          • Instruction ID: 1596a5228e69507d8837d28faf735dceb041ff2213e7dafdd310d2df63042355
                                                          • Opcode Fuzzy Hash: 23405c62be05a35d4ab59d0adb76dc7349b437b0a86a010e0015d9b3d908dabc
                                                          • Instruction Fuzzy Hash: F011A531208345AAC718FF70D8519AEB7E4AFA6746F443C2DFA56760A3DF20854E9712
                                                          Function 00E74CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 971 e74ce8-e74cf4 call e8360c 974 e74d16-e74d22 call e74d6d ExitProcess 971->974 975 e74cf6-e74d04 GetPEB 971->975 975->974 977 e74d06-e74d10 GetCurrentProcess TerminateProcess 975->977 977->974
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00E828E9,(,00E74CBE,00000000,00F188B8,0000000C,00E74E15,(,00000002,00000000,?,00E828E9,00000003,00E82DF7,?,?), ref: 00E74D09
                                                          • TerminateProcess.KERNEL32(00000000,?,00E828E9,00000003,00E82DF7,?,?,?,00E7E6D1,?,00F18A48,00000010,00E54F4A,?,?,00000000), ref: 00E74D10
                                                          • ExitProcess.KERNEL32 ref: 00E74D22
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID: (
                                                          • API String ID: 1703294689-2063206799
                                                          • Opcode ID: 08c5d67ff23cc44d70cf6770596fa7d500f03a4374f07aebbfd0aa19c928fba3
                                                          • Instruction ID: e237c216f775c75649639be9be3a370e785204c28b52b6e5af579ded336f72bf
                                                          • Opcode Fuzzy Hash: 08c5d67ff23cc44d70cf6770596fa7d500f03a4374f07aebbfd0aa19c928fba3
                                                          • Instruction Fuzzy Hash: 5EE046B1000188AFCF21AFA5DD49A483B69EB41785B208014FD58AA162CB35ED42CB80
                                                          Function 00EDA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00EDA6AC
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00EDA6BA
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00EDA79C
                                                          • CloseHandle.KERNELBASE(00000000), ref: 00EDA7AB
                                                            • Part of subcall function 00E6CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E93303,?), ref: 00E6CE8A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                          • String ID:
                                                          • API String ID: 1991900642-0
                                                          • Opcode ID: 86a63c7fa5433fe7756d64cdd872900d152969b17d2ee7e467613ba839763ed5
                                                          • Instruction ID: 79b9ed41e8b98b382e2a56de5235d927fc7d10a28210e92362e590bcb455335e
                                                          • Opcode Fuzzy Hash: 86a63c7fa5433fe7756d64cdd872900d152969b17d2ee7e467613ba839763ed5
                                                          • Instruction Fuzzy Hash: BC518E71508300AFC710EF24D886A6BBBF8FF89754F00592DF985A7252EB30D909CB92
                                                          Function 00EDAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 edaff9-edb056 call e72340 3 edb058-edb06b call e5b567 0->3 4 edb094-edb098 0->4 13 edb06d-edb092 call e5b567 * 2 3->13 14 edb0c8 3->14 6 edb0dd-edb0e0 4->6 7 edb09a-edb0bb call e5b567 * 2 4->7 9 edb0f5-edb119 call e57510 call e57620 6->9 10 edb0e2-edb0e5 6->10 29 edb0bf-edb0c4 7->29 31 edb11f-edb178 call e57510 call e57620 call e57510 call e57620 call e57510 call e57620 9->31 32 edb1d8-edb1e0 9->32 15 edb0e8-edb0ed call e5b567 10->15 13->29 19 edb0cb-edb0cf 14->19 15->9 24 edb0d9-edb0db 19->24 25 edb0d1-edb0d7 19->25 24->6 24->9 25->15 29->6 33 edb0c6 29->33 79 edb17a-edb195 call e57510 call e57620 31->79 80 edb1a6-edb1d6 GetSystemDirectoryW call e6fe0b GetSystemDirectoryW 31->80 36 edb20a-edb238 GetCurrentDirectoryW call e6fe0b GetCurrentDirectoryW 32->36 37 edb1e2-edb1fd call e57510 call e57620 32->37 33->19 45 edb23c 36->45 37->36 50 edb1ff-edb208 call e74963 37->50 49 edb240-edb244 45->49 52 edb275-edb285 call ec00d9 49->52 53 edb246-edb270 call e59c6e * 3 49->53 50->36 50->52 62 edb28b-edb2e1 call ec07c0 call ec06e6 call ec05a7 52->62 63 edb287-edb289 52->63 53->52 66 edb2ee-edb2f2 62->66 99 edb2e3 62->99 63->66 71 edb2f8-edb321 call eb11c8 66->71 72 edb39a-edb3be CreateProcessW 66->72 88 edb32a call eb14ce 71->88 89 edb323-edb328 call eb1201 71->89 76 edb3c1-edb3d4 call e6fe14 * 2 72->76 103 edb42f-edb43d CloseHandle 76->103 104 edb3d6-edb3e8 76->104 79->80 105 edb197-edb1a0 call e74963 79->105 80->45 98 edb32f-edb33c call e74963 88->98 89->98 115 edb33e-edb345 98->115 116 edb347-edb357 call e74963 98->116 99->66 107 edb49c 103->107 108 edb43f-edb444 103->108 109 edb3ed-edb3fc 104->109 110 edb3ea 104->110 105->49 105->80 113 edb4a0-edb4a4 107->113 117 edb446-edb44c CloseHandle 108->117 118 edb451-edb456 108->118 111 edb3fe 109->111 112 edb401-edb42a GetLastError call e5630c call e5cfa0 109->112 110->109 111->112 127 edb4e5-edb4f6 call ec0175 112->127 120 edb4a6-edb4b0 113->120 121 edb4b2-edb4bc 113->121 115->115 115->116 136 edb359-edb360 116->136 137 edb362-edb372 call e74963 116->137 117->118 124 edb458-edb45e CloseHandle 118->124 125 edb463-edb468 118->125 120->127 128 edb4be 121->128 129 edb4c4-edb4e3 call e5cfa0 CloseHandle 121->129 124->125 131 edb46a-edb470 CloseHandle 125->131 132 edb475-edb49a call ec09d9 call edb536 125->132 128->129 129->127 131->132 132->113 136->136 136->137 147 edb37d-edb398 call e6fe14 * 3 137->147 148 edb374-edb37b 137->148 147->76 148->147 148->148
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00EDB198
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EDB1B0
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EDB1D4
                                                          • _wcslen.LIBCMT ref: 00EDB200
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EDB214
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EDB236
                                                          • _wcslen.LIBCMT ref: 00EDB332
                                                            • Part of subcall function 00EC05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EC05C6
                                                          • _wcslen.LIBCMT ref: 00EDB34B
                                                          • _wcslen.LIBCMT ref: 00EDB366
                                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EDB3B6
                                                          • GetLastError.KERNEL32(00000000), ref: 00EDB407
                                                          • CloseHandle.KERNEL32(?), ref: 00EDB439
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EDB44A
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EDB45C
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EDB46E
                                                          • CloseHandle.KERNEL32(?), ref: 00EDB4E3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 2178637699-0
                                                          • Opcode ID: 7f294a33e908438040bc00adfcbef36a849b052039c7ae00005050051fa1d23b
                                                          • Instruction ID: 47df3472e7b0dd83eddbb6f33f93f25dd4c68a5220898c499d137669ba672004
                                                          • Opcode Fuzzy Hash: 7f294a33e908438040bc00adfcbef36a849b052039c7ae00005050051fa1d23b
                                                          • Instruction Fuzzy Hash: C7F17931504340DFC714EF24D891A6ABBE5EF85314F15985EF899AB3A2EB31EC06CB52
                                                          Function 00E5D73D Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetInputState.USER32 ref: 00E5D807
                                                          • timeGetTime.WINMM ref: 00E5DA07
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E5DB28
                                                          • TranslateMessage.USER32(?), ref: 00E5DB7B
                                                          • DispatchMessageW.USER32(?), ref: 00E5DB89
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E5DB9F
                                                          • Sleep.KERNELBASE(0000000A), ref: 00E5DBB1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                          • String ID:
                                                          • API String ID: 2189390790-0
                                                          • Opcode ID: ea32c2ba078df85230e0ff7b0ba52acd444133d88f470a2c853da0b2f8ec9ffd
                                                          • Instruction ID: dc9756c79f4c867c28b96b46cebe12fbde009584a32ee252772c6388db3e49af
                                                          • Opcode Fuzzy Hash: ea32c2ba078df85230e0ff7b0ba52acd444133d88f470a2c853da0b2f8ec9ffd
                                                          • Instruction Fuzzy Hash: 0142E330608245DFD738CF24CC84BAAB7E1BF8A319F14695DE955BB291D770E848CB92
                                                          Function 00E52CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E52D07
                                                          • RegisterClassExW.USER32(00000030), ref: 00E52D31
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E52D42
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00E52D5F
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E52D6F
                                                          • LoadIconW.USER32(000000A9), ref: 00E52D85
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E52D94
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 3b463ef417c5fd8db0dd077d9b136c4a537530a8aea26570859723aeda1dc5f2
                                                          • Instruction ID: fec54c7dbba1389a80082ce8f41143d5949b75802affd8d0ba963083d4b90615
                                                          • Opcode Fuzzy Hash: 3b463ef417c5fd8db0dd077d9b136c4a537530a8aea26570859723aeda1dc5f2
                                                          • Instruction Fuzzy Hash: D321E3B190134CAFDB10DFA5E889BDDBBB4FB08700F10411AF911BA2A0D7B14586DF95
                                                          Function 00E9065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 457 e9065b-e9068b call e9042f 460 e9068d-e90698 call e7f2c6 457->460 461 e906a6-e906b2 call e85221 457->461 466 e9069a-e906a1 call e7f2d9 460->466 467 e906cb-e90714 call e9039a 461->467 468 e906b4-e906c9 call e7f2c6 call e7f2d9 461->468 478 e9097d-e90983 466->478 476 e90781-e9078a GetFileType 467->476 477 e90716-e9071f 467->477 468->466 482 e9078c-e907bd GetLastError call e7f2a3 CloseHandle 476->482 483 e907d3-e907d6 476->483 480 e90721-e90725 477->480 481 e90756-e9077c GetLastError call e7f2a3 477->481 480->481 487 e90727-e90754 call e9039a 480->487 481->466 482->466 494 e907c3-e907ce call e7f2d9 482->494 485 e907d8-e907dd 483->485 486 e907df-e907e5 483->486 490 e907e9-e90837 call e8516a 485->490 486->490 491 e907e7 486->491 487->476 487->481 500 e90839-e90845 call e905ab 490->500 501 e90847-e9086b call e9014d 490->501 491->490 494->466 500->501 508 e9086f-e90879 call e886ae 500->508 506 e9086d 501->506 507 e9087e-e908c1 501->507 506->508 510 e908c3-e908c7 507->510 511 e908e2-e908f0 507->511 508->478 510->511 513 e908c9-e908dd 510->513 514 e9097b 511->514 515 e908f6-e908fa 511->515 513->511 514->478 515->514 516 e908fc-e9092f CloseHandle call e9039a 515->516 519 e90931-e9095d GetLastError call e7f2a3 call e85333 516->519 520 e90963-e90977 516->520 519->520 520->514
                                                          APIs
                                                            • Part of subcall function 00E9039A: CreateFileW.KERNELBASE(00000000,00000000,?,00E90704,?,?,00000000,?,00E90704,00000000,0000000C), ref: 00E903B7
                                                          • GetLastError.KERNEL32 ref: 00E9076F
                                                          • __dosmaperr.LIBCMT ref: 00E90776
                                                          • GetFileType.KERNELBASE(00000000), ref: 00E90782
                                                          • GetLastError.KERNEL32 ref: 00E9078C
                                                          • __dosmaperr.LIBCMT ref: 00E90795
                                                          • CloseHandle.KERNEL32(00000000), ref: 00E907B5
                                                          • CloseHandle.KERNEL32(?), ref: 00E908FF
                                                          • GetLastError.KERNEL32 ref: 00E90931
                                                          • __dosmaperr.LIBCMT ref: 00E90938
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: eedaad7669305d722455b2e15c502621de8d1fbcfc5cec2a393850e0916c371b
                                                          • Instruction ID: 059107f01779185fee36620fb95a4ca788b3583f82293790f6811dde663c9748
                                                          • Opcode Fuzzy Hash: eedaad7669305d722455b2e15c502621de8d1fbcfc5cec2a393850e0916c371b
                                                          • Instruction Fuzzy Hash: F5A12732A041488FDF29EF68D851BAD7BE0EB46324F145159F815BF2A2DB319C13DB91
                                                          Function 00E5344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00E53A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F21418,?,00E52E7F,?,?,?,00000000), ref: 00E53A78
                                                            • Part of subcall function 00E53357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E53379
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E5356A
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E9318D
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E931CE
                                                          • RegCloseKey.ADVAPI32(?), ref: 00E93210
                                                          • _wcslen.LIBCMT ref: 00E93277
                                                          • _wcslen.LIBCMT ref: 00E93286
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                          • API String ID: 98802146-2727554177
                                                          • Opcode ID: 99b704f610afcaeb74849d157f35bb5788a3dcd0a3a6c37f2cade8d378b03d8f
                                                          • Instruction ID: 668ab21c2d9ec946517ec99cc5d0fde733440f71d023c5937c95f6a229fb3171
                                                          • Opcode Fuzzy Hash: 99b704f610afcaeb74849d157f35bb5788a3dcd0a3a6c37f2cade8d378b03d8f
                                                          • Instruction Fuzzy Hash: 4D71E671405305AEC724DF69EC8185BBBE8FF84340F50282EF945E71B1EB309A4ACB52
                                                          Function 00E52B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E52B8E
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00E52B9D
                                                          • LoadIconW.USER32(00000063), ref: 00E52BB3
                                                          • LoadIconW.USER32(000000A4), ref: 00E52BC5
                                                          • LoadIconW.USER32(000000A2), ref: 00E52BD7
                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E52BEF
                                                          • RegisterClassExW.USER32(?), ref: 00E52C40
                                                            • Part of subcall function 00E52CD4: GetSysColorBrush.USER32(0000000F), ref: 00E52D07
                                                            • Part of subcall function 00E52CD4: RegisterClassExW.USER32(00000030), ref: 00E52D31
                                                            • Part of subcall function 00E52CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E52D42
                                                            • Part of subcall function 00E52CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E52D5F
                                                            • Part of subcall function 00E52CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E52D6F
                                                            • Part of subcall function 00E52CD4: LoadIconW.USER32(000000A9), ref: 00E52D85
                                                            • Part of subcall function 00E52CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E52D94
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$AutoIt v3
                                                          • API String ID: 423443420-4155596026
                                                          • Opcode ID: fe15fb0c78ea567cbb9387ff27c5ab1fc745e8eded340b41861fd0360e1abd2b
                                                          • Instruction ID: 780d0b53cde1235edf7d0293f18239dee868f0e687c6678ee87d5640e7120b6b
                                                          • Opcode Fuzzy Hash: fe15fb0c78ea567cbb9387ff27c5ab1fc745e8eded340b41861fd0360e1abd2b
                                                          • Instruction Fuzzy Hash: FF211070D0035CAFDB20DFA6EC95A9A7FB5FB58B50F10002AF500B6660D7B10956DF98
                                                          Function 00E53170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 598 e53170-e53185 599 e531e5-e531e7 598->599 600 e53187-e5318a 598->600 599->600 601 e531e9 599->601 602 e5318c-e53193 600->602 603 e531eb 600->603 604 e531d0-e531d8 DefWindowProcW 601->604 607 e53265-e5326d PostQuitMessage 602->607 608 e53199-e5319e 602->608 605 e92dfb-e92e23 call e518e2 call e6e499 603->605 606 e531f1-e531f6 603->606 609 e531de-e531e4 604->609 641 e92e28-e92e2f 605->641 611 e5321d-e53244 SetTimer RegisterWindowMessageW 606->611 612 e531f8-e531fb 606->612 610 e53219-e5321b 607->610 614 e531a4-e531a8 608->614 615 e92e7c-e92e90 call ebbf30 608->615 610->609 611->610 619 e53246-e53251 CreatePopupMenu 611->619 616 e53201-e5320f KillTimer call e530f2 612->616 617 e92d9c-e92d9f 612->617 620 e92e68-e92e72 call ebc161 614->620 621 e531ae-e531b3 614->621 615->610 633 e92e96 615->633 637 e53214 call e53c50 616->637 624 e92da1-e92da5 617->624 625 e92dd7-e92df6 MoveWindow 617->625 619->610 638 e92e77 620->638 629 e92e4d-e92e54 621->629 630 e531b9-e531be 621->630 634 e92da7-e92daa 624->634 635 e92dc6-e92dd2 SetFocus 624->635 625->610 629->604 636 e92e5a-e92e63 call eb0ad7 629->636 631 e531c4-e531ca 630->631 632 e53253-e53263 call e5326f 630->632 631->604 631->641 632->610 633->604 634->631 642 e92db0-e92dc1 call e518e2 634->642 635->610 636->604 637->610 638->610 641->604 646 e92e35-e92e48 call e530f2 call e53837 641->646 642->610 646->604
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E5316A,?,?), ref: 00E531D8
                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,00E5316A,?,?), ref: 00E53204
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E53227
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E5316A,?,?), ref: 00E53232
                                                          • CreatePopupMenu.USER32 ref: 00E53246
                                                          • PostQuitMessage.USER32(00000000), ref: 00E53267
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                          • String ID: TaskbarCreated
                                                          • API String ID: 129472671-2362178303
                                                          • Opcode ID: 5f4c90ff44c610988d9efb5e834ddddad5c7d5858bcae4aa84999463549e2e25
                                                          • Instruction ID: 04d55a229b0f0d93b731cccbe0c82d742c81abff1d999d78f196ef09d59bbf86
                                                          • Opcode Fuzzy Hash: 5f4c90ff44c610988d9efb5e834ddddad5c7d5858bcae4aa84999463549e2e25
                                                          • Instruction Fuzzy Hash: 3B419D34200608BBDF245B389D4DBB93B59F7153CAF14292AFD01B61A2CB718E49A765
                                                          Function 00E51410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 654 e51410-e51449 655 e924b8-e924b9 DestroyWindow 654->655 656 e5144f-e51465 mciSendStringW 654->656 659 e924c4-e924d1 655->659 657 e516c6-e516d3 656->657 658 e5146b-e51473 656->658 661 e516d5-e516f0 UnregisterHotKey 657->661 662 e516f8-e516ff 657->662 658->659 660 e51479-e51488 call e5182e 658->660 663 e92500-e92507 659->663 664 e924d3-e924d6 659->664 675 e9250e-e9251a 660->675 676 e5148e-e51496 660->676 661->662 666 e516f2-e516f3 call e510d0 661->666 662->658 667 e51705 662->667 663->659 672 e92509 663->672 668 e924d8-e924e0 call e56246 664->668 669 e924e2-e924e5 FindClose 664->669 666->662 667->657 674 e924eb-e924f8 668->674 669->674 672->675 674->663 678 e924fa-e924fb call ec32b1 674->678 681 e9251c-e9251e FreeLibrary 675->681 682 e92524-e9252b 675->682 679 e5149c-e514c1 call e5cfa0 676->679 680 e92532-e9253f 676->680 678->663 692 e514c3 679->692 693 e514f8-e51503 CoUninitialize 679->693 683 e92541-e9255e VirtualFree 680->683 684 e92566-e9256d 680->684 681->682 682->675 687 e9252d 682->687 683->684 688 e92560-e92561 call ec3317 683->688 684->680 689 e9256f 684->689 687->680 688->684 695 e92574-e92578 689->695 696 e514c6-e514f6 call e51a05 call e519ae 692->696 694 e51509-e5150e 693->694 693->695 697 e92589-e92596 call ec32eb 694->697 698 e51514-e5151e 694->698 695->694 699 e9257e-e92584 695->699 696->693 712 e92598 697->712 701 e51524-e515a5 call e5988f call e51944 call e517d5 call e6fe14 call e5177c call e5988f call e5cfa0 call e517fe call e6fe14 698->701 702 e51707-e51714 call e6f80e 698->702 699->694 716 e9259d-e925bf call e6fdcd 701->716 744 e515ab-e515cf call e6fe14 701->744 702->701 715 e5171a 702->715 712->716 715->702 722 e925c1 716->722 725 e925c6-e925e8 call e6fdcd 722->725 731 e925ea 725->731 735 e925ef-e92611 call e6fdcd 731->735 741 e92613 735->741 743 e92618-e92625 call eb64d4 741->743 749 e92627 743->749 744->725 750 e515d5-e515f9 call e6fe14 744->750 752 e9262c-e92639 call e6ac64 749->752 750->735 755 e515ff-e51619 call e6fe14 750->755 758 e9263b 752->758 755->743 760 e5161f-e51643 call e517d5 call e6fe14 755->760 762 e92640-e9264d call ec3245 758->762 760->752 769 e51649-e51651 760->769 768 e9264f 762->768 771 e92654-e92661 call ec32cc 768->771 769->762 770 e51657-e51675 call e5988f call e5190a 769->770 770->771 780 e5167b-e51689 770->780 776 e92663 771->776 779 e92668-e92675 call ec32cc 776->779 785 e92677 779->785 780->779 782 e5168f-e516c5 call e5988f * 3 call e51876 780->782 785->785
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E51459
                                                          • CoUninitialize.COMBASE ref: 00E514F8
                                                          • UnregisterHotKey.USER32(?), ref: 00E516DD
                                                          • DestroyWindow.USER32(?), ref: 00E924B9
                                                          • FreeLibrary.KERNEL32(?), ref: 00E9251E
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E9254B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 469580280-3243417748
                                                          • Opcode ID: 4ba5807ef8bf5e3d229bf6772b18d49e6c52ad6c8209f2d14efcc8265ea80bfe
                                                          • Instruction ID: 61ae52b3d1ff20f30246386695f9558ae998c0af1927fb9c57a3329c3102c7ae
                                                          • Opcode Fuzzy Hash: 4ba5807ef8bf5e3d229bf6772b18d49e6c52ad6c8209f2d14efcc8265ea80bfe
                                                          • Instruction Fuzzy Hash: C8D188306012129FCF29EF15D899B68F7A0BF04305F2565ADE94A7B262CB31AC1ACF51
                                                          Function 00E52C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 803 e52c63-e52cd3 CreateWindowExW * 2 ShowWindow * 2
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E52C91
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E52CB2
                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00E51CAD,?), ref: 00E52CC6
                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00E51CAD,?), ref: 00E52CCF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: d194415cd1433c958cc48ac833a3eab06cd360c41eebae7e3e432ad9db904b08
                                                          • Instruction ID: d57627972181202d4a963fdb588ce8445b2822eafe8fa321bbb3af5b5b562e02
                                                          • Opcode Fuzzy Hash: d194415cd1433c958cc48ac833a3eab06cd360c41eebae7e3e432ad9db904b08
                                                          • Instruction Fuzzy Hash: 44F030755403DC7AE73047236C48E773E7EE7DAF50B11002AF900A6160C2720C42EA74
                                                          Function 00E53B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 960 e53b1c-e53b27 961 e53b99-e53b9b 960->961 962 e53b29-e53b2e 960->962 964 e53b8c-e53b8f 961->964 962->961 963 e53b30-e53b48 RegOpenKeyExW 962->963 963->961 965 e53b4a-e53b69 RegQueryValueExW 963->965 966 e53b80-e53b8b RegCloseKey 965->966 967 e53b6b-e53b76 965->967 966->964 968 e53b90-e53b97 967->968 969 e53b78-e53b7a 967->969 970 e53b7e 968->970 969->970 970->966
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E53B0F,SwapMouseButtons,00000004,?), ref: 00E53B40
                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E53B0F,SwapMouseButtons,00000004,?), ref: 00E53B61
                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E53B0F,SwapMouseButtons,00000004,?), ref: 00E53B83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Control Panel\Mouse
                                                          • API String ID: 3677997916-824357125
                                                          • Opcode ID: 588a935c811b521689ea0baa2ee4f87eeec79f80791e606f5d7f8aa57baa23c8
                                                          • Instruction ID: 26165daf0d48bf575d74617a515fc897de34dd2d770f7cf23405b0ad27fb8c05
                                                          • Opcode Fuzzy Hash: 588a935c811b521689ea0baa2ee4f87eeec79f80791e606f5d7f8aa57baa23c8
                                                          • Instruction Fuzzy Hash: 93112AB5510218FFDB60CFA5DC84AEEB7B9EF04785B105859F805E7110D2319F499760
                                                          Function 00E53923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E933A2
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E53A04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                          • String ID: Line:
                                                          • API String ID: 2289894680-1585850449
                                                          • Opcode ID: 27cedc0c13eacf6e71ce2a1d7ea9dd0b65a13230df8206d00a3857b0dadb3831
                                                          • Instruction ID: 768c4f85a81cb133afc66042ba1adcae403f90e44d38c2d348938be3c14d34dd
                                                          • Opcode Fuzzy Hash: 27cedc0c13eacf6e71ce2a1d7ea9dd0b65a13230df8206d00a3857b0dadb3831
                                                          • Instruction Fuzzy Hash: 653124B1408308AAC721EB20DC45BEBB3D8AF94355F006D2AF999A3091DB709A4DC7C6
                                                          Function 00E6FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00E70668
                                                            • Part of subcall function 00E732A4: RaiseException.KERNEL32(?,?,?,00E7068A,?,00F21444,?,?,?,?,?,?,00E7068A,00E51129,00F18738,00E51129), ref: 00E73304
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00E70685
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                          • String ID: Unknown exception
                                                          • API String ID: 3476068407-410509341
                                                          • Opcode ID: 17b3de016419f2bb14a3da008691314a21a169c2184d470d55360b8758e6210c
                                                          • Instruction ID: bee8d349ec2ac6e5783914170196ffd549f8214266ab245f533fe4a1a91da515
                                                          • Opcode Fuzzy Hash: 17b3de016419f2bb14a3da008691314a21a169c2184d470d55360b8758e6210c
                                                          • Instruction Fuzzy Hash: E0F0C83490020DB7CB00F6B4E856D9E77AC5E40394B60E131F82CB55D2EF71EA65D581
                                                          Function 00E510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E51BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E51BF4
                                                            • Part of subcall function 00E51BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E51BFC
                                                            • Part of subcall function 00E51BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E51C07
                                                            • Part of subcall function 00E51BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E51C12
                                                            • Part of subcall function 00E51BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E51C1A
                                                            • Part of subcall function 00E51BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E51C22
                                                            • Part of subcall function 00E51B4A: RegisterWindowMessageW.USER32(00000004,?,00E512C4), ref: 00E51BA2
                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E5136A
                                                          • OleInitialize.OLE32 ref: 00E51388
                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 00E924AB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                          • String ID:
                                                          • API String ID: 1986988660-0
                                                          • Opcode ID: de12d0785099d6ef49ed10dcf850f93c00ea9268ab7824299ff8a66afa7b0cfa
                                                          • Instruction ID: 19306ceb23dbda6f25b4895c17bc546c02588b7d31ba4b0db0ca09aecbe91fca
                                                          • Opcode Fuzzy Hash: de12d0785099d6ef49ed10dcf850f93c00ea9268ab7824299ff8a66afa7b0cfa
                                                          • Instruction Fuzzy Hash: 9C71C2B490124C8EC7A4EF79BD866953AE0FBE934431856BAD40AE7362E7344407EF4D
                                                          Function 00EBC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E53923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E53A04
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EBC259
                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00EBC261
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EBC270
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_Timer$Kill
                                                          • String ID:
                                                          • API String ID: 3500052701-0
                                                          • Opcode ID: 51f28be2f86b6757c258546f391fefe31bcb01aa24a34a7d80103513b0b381bc
                                                          • Instruction ID: f03f9700ceae80b24746b9cc256ee6c38509b3e5ac29d45d5646b89bc70be35f
                                                          • Opcode Fuzzy Hash: 51f28be2f86b6757c258546f391fefe31bcb01aa24a34a7d80103513b0b381bc
                                                          • Instruction Fuzzy Hash: 8631B670904744AFEB328F7488957E7BBEC9B06308F10149AE5D9B7251C3745A89CB51
                                                          Function 00E886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(00000000,00000000,?,?,00E885CC,?,00F18CC8,0000000C), ref: 00E88704
                                                          • GetLastError.KERNEL32(?,00E885CC,?,00F18CC8,0000000C), ref: 00E8870E
                                                          • __dosmaperr.LIBCMT ref: 00E88739
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                          • String ID:
                                                          • API String ID: 2583163307-0
                                                          • Opcode ID: 8b5364af464ec9a8c642611dbe7a350e6ab40e7bbf4fe73b27f6e9bc5cc439b3
                                                          • Instruction ID: e77c75aa38057fccc01b014aca0c513e2afc3220cd3c840b9ff5c19ec03ca7f3
                                                          • Opcode Fuzzy Hash: 8b5364af464ec9a8c642611dbe7a350e6ab40e7bbf4fe73b27f6e9bc5cc439b3
                                                          • Instruction Fuzzy Hash: AE016B336046601AC23072346A4577E27994B8177CF782119FC1CFB0D3EEA19C82A350
                                                          Function 00E5DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TranslateMessage.USER32(?), ref: 00E5DB7B
                                                          • DispatchMessageW.USER32(?), ref: 00E5DB89
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E5DB9F
                                                          • Sleep.KERNELBASE(0000000A), ref: 00E5DBB1
                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00EA1CC9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                          • String ID:
                                                          • API String ID: 3288985973-0
                                                          • Opcode ID: e0019bcbecca40945c18838533ab54d50788f695dcfd0db9b2448640187d3ba4
                                                          • Instruction ID: c541df4d31d727dadd6c675b4296cbb419802704f5c0cef307ad321b2e7f4813
                                                          • Opcode Fuzzy Hash: e0019bcbecca40945c18838533ab54d50788f695dcfd0db9b2448640187d3ba4
                                                          • Instruction Fuzzy Hash: 2CF05E306483849BE734CBB19C89FEA73A9FB49315F105929FA0AE70C0DB30A48D9B15
                                                          Function 00E61310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 00E617F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: CALL
                                                          • API String ID: 1385522511-4196123274
                                                          • Opcode ID: 5dd7b67e86f7729e7ec0459edf9e30b11bb4573b0d0f5bfdb5821405b9848ba0
                                                          • Instruction ID: 971d98721fa6b5a76fa1cbcb6d93ec01346ac36d1e2bae13e44a02dede1738c3
                                                          • Opcode Fuzzy Hash: 5dd7b67e86f7729e7ec0459edf9e30b11bb4573b0d0f5bfdb5821405b9848ba0
                                                          • Instruction Fuzzy Hash: 5622BD706083019FC715DF14D480B6ABBF1BF8A394F18999DF496AB362D731E845CB82
                                                          Function 00E52DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00E92C8C
                                                            • Part of subcall function 00E53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E53A97,?,?,00E52E7F,?,?,?,00000000), ref: 00E53AC2
                                                            • Part of subcall function 00E52DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E52DC4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Name$Path$FileFullLongOpen
                                                          • String ID: X
                                                          • API String ID: 779396738-3081909835
                                                          • Opcode ID: 7da5fd1a44f07b4cc56dfe545f09a869f9d1611350c0543fc759a668d04f4013
                                                          • Instruction ID: 2103583a8b4745694638148f15273e0bfd9532dc65e8052a41531d1b7021adfc
                                                          • Opcode Fuzzy Hash: 7da5fd1a44f07b4cc56dfe545f09a869f9d1611350c0543fc759a668d04f4013
                                                          • Instruction Fuzzy Hash: 1F21C371A00298AFDF01EF94C845BEE7BF9AF49305F009459E905FB241EBB45A8DCB61
                                                          Function 00E53837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E53908
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_
                                                          • String ID:
                                                          • API String ID: 1144537725-0
                                                          • Opcode ID: 9b6c878b2ec6b783098ab3f0415614c39c5271eec8f0b39a8e94b7e58db65c98
                                                          • Instruction ID: d7aae5fd16b99842f65b123840f32e8d93ad2026df6ed957fdbf21bffce90454
                                                          • Opcode Fuzzy Hash: 9b6c878b2ec6b783098ab3f0415614c39c5271eec8f0b39a8e94b7e58db65c98
                                                          • Instruction Fuzzy Hash: 2F31C1B05043059FD721DF34D88579BBBE8FB49349F000D2EF999A7280E771AA48CB52
                                                          Function 00E6F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeGetTime.WINMM ref: 00E6F661
                                                            • Part of subcall function 00E5D73D: GetInputState.USER32 ref: 00E5D807
                                                          • Sleep.KERNEL32(00000000), ref: 00EAF2DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: InputSleepStateTimetime
                                                          • String ID:
                                                          • API String ID: 4149333218-0
                                                          • Opcode ID: 2689f8e4d2da7b55d4e1749fd931bd3ff92b41a7ead7affd39b87b4e13f8d380
                                                          • Instruction ID: 65865cfc8dd771eeca7bb45e9071e166ab2615c95a72c6bc4d1a1131737192be
                                                          • Opcode Fuzzy Hash: 2689f8e4d2da7b55d4e1749fd931bd3ff92b41a7ead7affd39b87b4e13f8d380
                                                          • Instruction Fuzzy Hash: 44F082312402059FD314EF75D445B5AB7E9EF49761F00142AF859EB260DB70A844CB91
                                                          Function 00E5B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 00E5BB4E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID:
                                                          • API String ID: 1385522511-0
                                                          • Opcode ID: 8e8e140bf62336d837eaafab2a8e3726f4673b3d040288c7e29bb8a5a5b3f943
                                                          • Instruction ID: 834f665fba5144b87bdabcd38f81036ff16ef3adbd7b4f1550230a30a2389b71
                                                          • Opcode Fuzzy Hash: 8e8e140bf62336d837eaafab2a8e3726f4673b3d040288c7e29bb8a5a5b3f943
                                                          • Instruction Fuzzy Hash: E032CF30A00209EFCF24CF54C894ABEB7B9EF49319F14A459ED05BB262C775AD49CB91
                                                          Function 00E54ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E54E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E54EDD,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54E9C
                                                            • Part of subcall function 00E54E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E54EAE
                                                            • Part of subcall function 00E54E90: FreeLibrary.KERNEL32(00000000,?,?,00E54EDD,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54EC0
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54EFD
                                                            • Part of subcall function 00E54E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E93CDE,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54E62
                                                            • Part of subcall function 00E54E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E54E74
                                                            • Part of subcall function 00E54E59: FreeLibrary.KERNEL32(00000000,?,?,00E93CDE,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54E87
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressFreeProc
                                                          • String ID:
                                                          • API String ID: 2632591731-0
                                                          • Opcode ID: f1287a2d77ac9f09403936641f885e467767812292ee2f7b1ab37fa7651fb6a7
                                                          • Instruction ID: 486ed58da616c1beda4c6ddcf483487c31a9c2da94ef86475a41f565a2b92919
                                                          • Opcode Fuzzy Hash: f1287a2d77ac9f09403936641f885e467767812292ee2f7b1ab37fa7651fb6a7
                                                          • Instruction Fuzzy Hash: BF110472700605ABCF14AB64DC02FAD77E49F44716F20A82DF942BA1C1DE709A899B60
                                                          Function 00E88402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: __wsopen_s
                                                          • String ID:
                                                          • API String ID: 3347428461-0
                                                          • Opcode ID: 087fe90e6435ac4dc49eb22e0beb2e613e5b051626078aabc9b4b20272a3d299
                                                          • Instruction ID: ee12b7d0be15b73d533026f7c3d7eef0308052156def9188a6ca3d6ff3624bd1
                                                          • Opcode Fuzzy Hash: 087fe90e6435ac4dc49eb22e0beb2e613e5b051626078aabc9b4b20272a3d299
                                                          • Instruction Fuzzy Hash: EB11067690410AAFCB15DF58EA4199E7BF5EF48314F104059FC18AB312DB31DA118BA5
                                                          Function 00E85000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E84C7D: RtlAllocateHeap.NTDLL(00000008,00E51129,00000000,?,00E82E29,00000001,00000364,?,?,?,00E7F2DE,00E83863,00F21444,?,00E6FDF5,?), ref: 00E84CBE
                                                          • _free.LIBCMT ref: 00E8506C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                          • Instruction ID: 55d83663c42ac21f49bfc04e076b75bdbb511d493a0ea0061b9575770a8d6992
                                                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                          • Instruction Fuzzy Hash: 500149732047056BE3319F69D881A9AFBECFB89370F25051DE19CA32C0EA30A905C7B4
                                                          Function 00E7E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                          • Instruction ID: 395aee596b7935a71f623e992244e97da9379646527cd5affa4f204a9d649357
                                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                          • Instruction Fuzzy Hash: 6AF02832510A14AAD7313AA99C05B9A33DC9F96334F10A799F92DB33D2DB74D80187A5
                                                          Function 00E84C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,00E51129,00000000,?,00E82E29,00000001,00000364,?,?,?,00E7F2DE,00E83863,00F21444,?,00E6FDF5,?), ref: 00E84CBE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 41a0d30263af47860c106ea125246712ace79f414245c58c11e3b5508fbc9e10
                                                          • Instruction ID: b7d1b9e135ad08d1f2beda92c2d689ad356cf3f037c1992a38cb02f1cc7ff2d8
                                                          • Opcode Fuzzy Hash: 41a0d30263af47860c106ea125246712ace79f414245c58c11e3b5508fbc9e10
                                                          • Instruction Fuzzy Hash: 7DF0B4B160222667FB21BF629C05F5AB7CCFF417A4B28A115F81DBA1D1CB30D80147A0
                                                          Function 00E83820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00F21444,?,00E6FDF5,?,?,00E5A976,00000010,00F21440,00E513FC,?,00E513C6,?,00E51129), ref: 00E83852
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 67fe41f7b45d95a9b9de301226de3d5ad1baea4dc3706da78c96ee2c93bdf928
                                                          • Instruction ID: be095651361196cb93bb84542570b33bce7d0d4da2b9f728b6925ca0472f1144
                                                          • Opcode Fuzzy Hash: 67fe41f7b45d95a9b9de301226de3d5ad1baea4dc3706da78c96ee2c93bdf928
                                                          • Instruction Fuzzy Hash: ECE0E5312012245BD63937B79C05B9A36C9AB42FB4F152220FC1CB64D1DB20DD0183E0
                                                          Function 00E54F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54F6D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 8b136701426d8950992239220a997d7a2047c37da0d4dcf7d14ec13afd899a9f
                                                          • Instruction ID: a28db9cb4dd718b5e9da1ed6b98cb77d3547895fe868b9aa98aac8e4794fdf25
                                                          • Opcode Fuzzy Hash: 8b136701426d8950992239220a997d7a2047c37da0d4dcf7d14ec13afd899a9f
                                                          • Instruction Fuzzy Hash: 24F030B1205751CFDB349F68D490852B7F4BF1431E320AD7EE5DAA6651C7319888DF20
                                                          Function 00E530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E5314E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_
                                                          • String ID:
                                                          • API String ID: 1144537725-0
                                                          • Opcode ID: ee3422f047dc89590a4b406fa968f11bec4fb207ff76189fc10296f07a29147a
                                                          • Instruction ID: a5684091306f00990f0ea55bfb5df49a313115a5c88395f85fc1fd76acb3c914
                                                          • Opcode Fuzzy Hash: ee3422f047dc89590a4b406fa968f11bec4fb207ff76189fc10296f07a29147a
                                                          • Instruction Fuzzy Hash: 56F0307091435C9FEB62DB24DC4A7DA7BFCBB0170CF0001E9A688A6292DB745B89CF55
                                                          Function 00E52DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E52DC4
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LongNamePath_wcslen
                                                          • String ID:
                                                          • API String ID: 541455249-0
                                                          • Opcode ID: 8014fa244baf89ea3d5f58425d6100565ecad4cfad1613962139cf9fde7b5d19
                                                          • Instruction ID: 1cecb6ba0d4e6235ab38c533caca47be5c713bf7f90d51822265d56629a8cd50
                                                          • Opcode Fuzzy Hash: 8014fa244baf89ea3d5f58425d6100565ecad4cfad1613962139cf9fde7b5d19
                                                          • Instruction Fuzzy Hash: 3BE0CD726001285BCB1092589C06FEA77DDDFC8790F0400B1FD09F7258D970AD848550
                                                          Function 00E52B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E53837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E53908
                                                            • Part of subcall function 00E5D73D: GetInputState.USER32 ref: 00E5D807
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E52B6B
                                                            • Part of subcall function 00E530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E5314E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                          • String ID:
                                                          • API String ID: 3667716007-0
                                                          • Opcode ID: 0a2ac49df1713eda9f874d0fa76356297225f6466da6144d7d1793116be3365d
                                                          • Instruction ID: 86823734f476aaf5d9ebff185215e2626022220124f6248a5c2f89145547025b
                                                          • Opcode Fuzzy Hash: 0a2ac49df1713eda9f874d0fa76356297225f6466da6144d7d1793116be3365d
                                                          • Instruction Fuzzy Hash: DBE0262230424806C60CBB30A8524ADB7D99BE6393F403C3EF946A31A3CE24454E8311
                                                          Function 00E9039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00E90704,?,?,00000000,?,00E90704,00000000,0000000C), ref: 00E903B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 1c6258a440c231ff3213f4d6c757db9cd96b84d1e3086d6ab05bd607bde805f3
                                                          • Instruction ID: b663870b6d2b3c0af29375b0ed74a05a5f0e4eda899a9fdc62f1660a7d9e9312
                                                          • Opcode Fuzzy Hash: 1c6258a440c231ff3213f4d6c757db9cd96b84d1e3086d6ab05bd607bde805f3
                                                          • Instruction Fuzzy Hash: 4CD06C3204014DBFDF028F85DD46EDA3FAAFB48714F114000BE5866020C732E822AB91
                                                          Function 00E51CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E51CBC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem
                                                          • String ID:
                                                          • API String ID: 3098949447-0
                                                          • Opcode ID: 9afe9ee8ed06d779266ddab96cb286ffac3fa51162942dae5a7c361ca5b1f7db
                                                          • Instruction ID: 6bad27eef77e2975464a02cb204a3bbdbd833672de8f24bd214c79bae5ec1191
                                                          • Opcode Fuzzy Hash: 9afe9ee8ed06d779266ddab96cb286ffac3fa51162942dae5a7c361ca5b1f7db
                                                          • Instruction Fuzzy Hash: 06C0923628034CBFF2248B80BC8BF107765B35CB00F188001F609A95E3C3A22826FA94

                                                          Non-executed Functions

                                                          Function 00EE9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EE961A
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EE965B
                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EE969F
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EE96C9
                                                          • SendMessageW.USER32 ref: 00EE96F2
                                                          • GetKeyState.USER32(00000011), ref: 00EE978B
                                                          • GetKeyState.USER32(00000009), ref: 00EE9798
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EE97AE
                                                          • GetKeyState.USER32(00000010), ref: 00EE97B8
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EE97E9
                                                          • SendMessageW.USER32 ref: 00EE9810
                                                          • SendMessageW.USER32(?,00001030,?,00EE7E95), ref: 00EE9918
                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EE992E
                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EE9941
                                                          • SetCapture.USER32(?), ref: 00EE994A
                                                          • ClientToScreen.USER32(?,?), ref: 00EE99AF
                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EE99BC
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EE99D6
                                                          • ReleaseCapture.USER32 ref: 00EE99E1
                                                          • GetCursorPos.USER32(?), ref: 00EE9A19
                                                          • ScreenToClient.USER32(?,?), ref: 00EE9A26
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EE9A80
                                                          • SendMessageW.USER32 ref: 00EE9AAE
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EE9AEB
                                                          • SendMessageW.USER32 ref: 00EE9B1A
                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EE9B3B
                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EE9B4A
                                                          • GetCursorPos.USER32(?), ref: 00EE9B68
                                                          • ScreenToClient.USER32(?,?), ref: 00EE9B75
                                                          • GetParent.USER32(?), ref: 00EE9B93
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EE9BFA
                                                          • SendMessageW.USER32 ref: 00EE9C2B
                                                          • ClientToScreen.USER32(?,?), ref: 00EE9C84
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EE9CB4
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EE9CDE
                                                          • SendMessageW.USER32 ref: 00EE9D01
                                                          • ClientToScreen.USER32(?,?), ref: 00EE9D4E
                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EE9D82
                                                            • Part of subcall function 00E69944: GetWindowLongW.USER32(?,000000EB), ref: 00E69952
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE9E05
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                          • String ID: @GUI_DRAGID$F
                                                          • API String ID: 3429851547-4164748364
                                                          • Opcode ID: 29f1da06618ce9d495420e117819230977298e73d239365fd8c8a090ff2254de
                                                          • Instruction ID: 69ea197e8123a4c33c8c3815ef42884aac21218112b6daa38b3f796228280166
                                                          • Opcode Fuzzy Hash: 29f1da06618ce9d495420e117819230977298e73d239365fd8c8a090ff2254de
                                                          • Instruction Fuzzy Hash: F742B030204289AFD720CF26CC84EAABBF5FF49714F14161AF999A72A2D731DC55CB42
                                                          Function 00EE4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00EE48F3
                                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00EE4908
                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00EE4927
                                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00EE494B
                                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00EE495C
                                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00EE497B
                                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00EE49AE
                                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00EE49D4
                                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00EE4A0F
                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EE4A56
                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EE4A7E
                                                          • IsMenu.USER32(?), ref: 00EE4A97
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EE4AF2
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EE4B20
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE4B94
                                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00EE4BE3
                                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00EE4C82
                                                          • wsprintfW.USER32 ref: 00EE4CAE
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EE4CC9
                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00EE4CF1
                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EE4D13
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EE4D33
                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00EE4D5A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                          • String ID: %d/%02d/%02d
                                                          • API String ID: 4054740463-328681919
                                                          • Opcode ID: af0ae42dfa2f46f08ea08dbc2b87eb64557f921d510290bb372dfaf613bccf58
                                                          • Instruction ID: d9e1af6bc4d2c2ec86db249f966fe821a18e9d215ffea81d1e6ed46695ee05f0
                                                          • Opcode Fuzzy Hash: af0ae42dfa2f46f08ea08dbc2b87eb64557f921d510290bb372dfaf613bccf58
                                                          • Instruction Fuzzy Hash: 0B12F0B1A00289AFEB248F26DC49FAE7BF8AF44714F106129F915FB2E1D7749941CB50
                                                          Function 00E6F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E6F998
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EAF474
                                                          • IsIconic.USER32(00000000), ref: 00EAF47D
                                                          • ShowWindow.USER32(00000000,00000009), ref: 00EAF48A
                                                          • SetForegroundWindow.USER32(00000000), ref: 00EAF494
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EAF4AA
                                                          • GetCurrentThreadId.KERNEL32 ref: 00EAF4B1
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EAF4BD
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EAF4CE
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EAF4D6
                                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00EAF4DE
                                                          • SetForegroundWindow.USER32(00000000), ref: 00EAF4E1
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EAF4F6
                                                          • keybd_event.USER32(00000012,00000000), ref: 00EAF501
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EAF50B
                                                          • keybd_event.USER32(00000012,00000000), ref: 00EAF510
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EAF519
                                                          • keybd_event.USER32(00000012,00000000), ref: 00EAF51E
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EAF528
                                                          • keybd_event.USER32(00000012,00000000), ref: 00EAF52D
                                                          • SetForegroundWindow.USER32(00000000), ref: 00EAF530
                                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00EAF557
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 4125248594-2988720461
                                                          • Opcode ID: e670abde21c58aa3bc82054d86849fb8fb22c32133de0bfb8a8d1861699fbf1d
                                                          • Instruction ID: 167c8d224dc4a2356de28656a84e46c8c32a19c25edd05b42d4b52366aaa88ec
                                                          • Opcode Fuzzy Hash: e670abde21c58aa3bc82054d86849fb8fb22c32133de0bfb8a8d1861699fbf1d
                                                          • Instruction Fuzzy Hash: 67315371A4025C7FEB206BF65C89FBF7E6DEB49B50F200065FA01FA1D1C6B06D01AA61
                                                          Function 00EB1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EB170D
                                                            • Part of subcall function 00EB16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EB173A
                                                            • Part of subcall function 00EB16C3: GetLastError.KERNEL32 ref: 00EB174A
                                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EB1286
                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EB12A8
                                                          • CloseHandle.KERNEL32(?), ref: 00EB12B9
                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EB12D1
                                                          • GetProcessWindowStation.USER32 ref: 00EB12EA
                                                          • SetProcessWindowStation.USER32(00000000), ref: 00EB12F4
                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EB1310
                                                            • Part of subcall function 00EB10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EB11FC), ref: 00EB10D4
                                                            • Part of subcall function 00EB10BF: CloseHandle.KERNEL32(?,?,00EB11FC), ref: 00EB10E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                          • String ID: $default$winsta0
                                                          • API String ID: 22674027-1027155976
                                                          • Opcode ID: 960f25a453fd92d7e985087f764e25ca05d698bd7ce0104e908cb063b01468a1
                                                          • Instruction ID: ba5b17082c94fe059c52744cc3275db49b49f269e5781a3fbec87801e2f9b7bd
                                                          • Opcode Fuzzy Hash: 960f25a453fd92d7e985087f764e25ca05d698bd7ce0104e908cb063b01468a1
                                                          • Instruction Fuzzy Hash: EE81AC71900249AFDF219FA4DC99FEF7BB9EF04718F1451A9FA20B61A0DB318945CB21
                                                          Function 00EB0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EB1114
                                                            • Part of subcall function 00EB10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB1120
                                                            • Part of subcall function 00EB10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB112F
                                                            • Part of subcall function 00EB10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB1136
                                                            • Part of subcall function 00EB10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EB114D
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EB0BCC
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EB0C00
                                                          • GetLengthSid.ADVAPI32(?), ref: 00EB0C17
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00EB0C51
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EB0C6D
                                                          • GetLengthSid.ADVAPI32(?), ref: 00EB0C84
                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EB0C8C
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00EB0C93
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EB0CB4
                                                          • CopySid.ADVAPI32(00000000), ref: 00EB0CBB
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EB0CEA
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EB0D0C
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EB0D1E
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB0D45
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0D4C
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB0D55
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0D5C
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB0D65
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0D6C
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00EB0D78
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0D7F
                                                            • Part of subcall function 00EB1193: GetProcessHeap.KERNEL32(00000008,00EB0BB1,?,00000000,?,00EB0BB1,?), ref: 00EB11A1
                                                            • Part of subcall function 00EB1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EB0BB1,?), ref: 00EB11A8
                                                            • Part of subcall function 00EB1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EB0BB1,?), ref: 00EB11B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                          • String ID:
                                                          • API String ID: 4175595110-0
                                                          • Opcode ID: 02c8adfb55de6448ab46b234dc03db86d27005c3cef28cae005a861f6a4e4b57
                                                          • Instruction ID: 19c1cebea6108a98b08bead73fc2160d384c6986d0bd705060cd57ca2eccc994
                                                          • Opcode Fuzzy Hash: 02c8adfb55de6448ab46b234dc03db86d27005c3cef28cae005a861f6a4e4b57
                                                          • Instruction Fuzzy Hash: BB718A7290020AAFDF10DFA5DC84BEFBBB8BF04314F145515F915BA1A1D771AA46CBA0
                                                          Function 00ECEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00EECC08), ref: 00ECEB29
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00ECEB37
                                                          • GetClipboardData.USER32(0000000D), ref: 00ECEB43
                                                          • CloseClipboard.USER32 ref: 00ECEB4F
                                                          • GlobalLock.KERNEL32(00000000), ref: 00ECEB87
                                                          • CloseClipboard.USER32 ref: 00ECEB91
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00ECEBBC
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00ECEBC9
                                                          • GetClipboardData.USER32(00000001), ref: 00ECEBD1
                                                          • GlobalLock.KERNEL32(00000000), ref: 00ECEBE2
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00ECEC22
                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 00ECEC38
                                                          • GetClipboardData.USER32(0000000F), ref: 00ECEC44
                                                          • GlobalLock.KERNEL32(00000000), ref: 00ECEC55
                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00ECEC77
                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ECEC94
                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00ECECD2
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00ECECF3
                                                          • CountClipboardFormats.USER32 ref: 00ECED14
                                                          • CloseClipboard.USER32 ref: 00ECED59
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                          • String ID:
                                                          • API String ID: 420908878-0
                                                          • Opcode ID: 2ec3c71c3cc6778ebd2cfe4e802ff7ce9eebe3e613f2a6099025f7cbbe41dc5c
                                                          • Instruction ID: 8ffe9dfa7f7b247c9fe2045dd1ee92ea97cc141f1aa98622f15a30ee0b2616c7
                                                          • Opcode Fuzzy Hash: 2ec3c71c3cc6778ebd2cfe4e802ff7ce9eebe3e613f2a6099025f7cbbe41dc5c
                                                          • Instruction Fuzzy Hash: 2B61D2342043469FD310EF60D985F7A7BE4AF84708F14651DF856AB2A2CB32DD0ACB62
                                                          Function 00EC698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EC69BE
                                                          • FindClose.KERNEL32(00000000), ref: 00EC6A12
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EC6A4E
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EC6A75
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EC6AB2
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EC6ADF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                          • API String ID: 3830820486-3289030164
                                                          • Opcode ID: 42fcdeeadeff223373844b0d45068809a1be040833e179d2fff6acec3b9f98f6
                                                          • Instruction ID: dba817d0b3c6e96ec4e2d2d1638de6ae0d27f34a46c11dd45e169e1293e21e18
                                                          • Opcode Fuzzy Hash: 42fcdeeadeff223373844b0d45068809a1be040833e179d2fff6acec3b9f98f6
                                                          • Instruction Fuzzy Hash: 10D19171508300AFC304EBA0D991EAFB7ECAF88705F44591DF985E7192EB35DA09CB62
                                                          Function 00EC9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00EC9663
                                                          • GetFileAttributesW.KERNEL32(?), ref: 00EC96A1
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00EC96BB
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EC96D3
                                                          • FindClose.KERNEL32(00000000), ref: 00EC96DE
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00EC96FA
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC974A
                                                          • SetCurrentDirectoryW.KERNEL32(00F16B7C), ref: 00EC9768
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EC9772
                                                          • FindClose.KERNEL32(00000000), ref: 00EC977F
                                                          • FindClose.KERNEL32(00000000), ref: 00EC978F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*
                                                          • API String ID: 1409584000-438819550
                                                          • Opcode ID: 5adcfb991e1f8022432beda99c2a4aa03140fda86c44d3fd028558e86c290be4
                                                          • Instruction ID: 8b3e1e1ee101730820a64d6a934aea3451334bc140ac6a7a874b24bb4d8ac617
                                                          • Opcode Fuzzy Hash: 5adcfb991e1f8022432beda99c2a4aa03140fda86c44d3fd028558e86c290be4
                                                          • Instruction Fuzzy Hash: 79311F3250164D6ECB10EFB5DD4DEDE33ACAF08324F20405AF914F20A2DB72CE868A10
                                                          Function 00EC979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00EC97BE
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EC9819
                                                          • FindClose.KERNEL32(00000000), ref: 00EC9824
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00EC9840
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC9890
                                                          • SetCurrentDirectoryW.KERNEL32(00F16B7C), ref: 00EC98AE
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EC98B8
                                                          • FindClose.KERNEL32(00000000), ref: 00EC98C5
                                                          • FindClose.KERNEL32(00000000), ref: 00EC98D5
                                                            • Part of subcall function 00EBDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EBDB00
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*
                                                          • API String ID: 2640511053-438819550
                                                          • Opcode ID: d3eecde42ca8f8c04ad2bf0c765d8aee5bfd852c649297ea8f3a31c2c72630de
                                                          • Instruction ID: 634300840594322a3e85fd49be3c915b1878985da8a452dab6705c12659f4c24
                                                          • Opcode Fuzzy Hash: d3eecde42ca8f8c04ad2bf0c765d8aee5bfd852c649297ea8f3a31c2c72630de
                                                          • Instruction Fuzzy Hash: F131E2325006596EDB14EFA5DC48EDE77AC9F0A324F205059F814B30A2DB72DA868A20
                                                          Function 00EDBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDB6AE,?,?), ref: 00EDC9B5
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDC9F1
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA68
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EDBF3E
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00EDBFA9
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EDBFCD
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EDC02C
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EDC0E7
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EDC154
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EDC1E9
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00EDC23A
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EDC2E3
                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EDC382
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EDC38F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                          • String ID:
                                                          • API String ID: 3102970594-0
                                                          • Opcode ID: ecfaa336762e4ace2dcbd9ca9233ba473a21afe6fd9b327045b8be4ea6177f1b
                                                          • Instruction ID: 17774008912bb2cd4760b580975177665f4e683fed6832f3c3d368c5e497f9e4
                                                          • Opcode Fuzzy Hash: ecfaa336762e4ace2dcbd9ca9233ba473a21afe6fd9b327045b8be4ea6177f1b
                                                          • Instruction Fuzzy Hash: B3025E716042019FC714CF24C895E2ABBE5EF89358F18989DF849EB3A2D731ED46CB51
                                                          Function 00EC8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 00EC8257
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EC8267
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EC8273
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EC8310
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC8324
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC8356
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EC838C
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC8395
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                          • String ID: *.*
                                                          • API String ID: 1464919966-438819550
                                                          • Opcode ID: 5f1929896d8bdc95680880f4c586dca77b5313fba58e2e81588af4eea66c1e97
                                                          • Instruction ID: f1b7052c14fd6126930bba7ec2e144e0165a61fca72d6eb7fb39ddc5bac0f117
                                                          • Opcode Fuzzy Hash: 5f1929896d8bdc95680880f4c586dca77b5313fba58e2e81588af4eea66c1e97
                                                          • Instruction Fuzzy Hash: 62618C715043459FC710EF64CA44E9EB3E8FF89314F14981EF989A7251EB31E94ACB92
                                                          Function 00EBD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E53A97,?,?,00E52E7F,?,?,?,00000000), ref: 00E53AC2
                                                            • Part of subcall function 00EBE199: GetFileAttributesW.KERNEL32(?,00EBCF95), ref: 00EBE19A
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EBD122
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EBD1DD
                                                          • MoveFileW.KERNEL32(?,?), ref: 00EBD1F0
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00EBD20D
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EBD237
                                                            • Part of subcall function 00EBD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EBD21C,?,?), ref: 00EBD2B2
                                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 00EBD253
                                                          • FindClose.KERNEL32(00000000), ref: 00EBD264
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 1946585618-1173974218
                                                          • Opcode ID: 98d6dc3200dcc953a1f676ed08fbe2fde60ee92ee93d759d43d7f3e90ddbe592
                                                          • Instruction ID: c7ebf67f99f05cd05d8bc0ff550ce7793f68b697ff44ef468fbb3041656b11b5
                                                          • Opcode Fuzzy Hash: 98d6dc3200dcc953a1f676ed08fbe2fde60ee92ee93d759d43d7f3e90ddbe592
                                                          • Instruction Fuzzy Hash: 6E61793180514DAECF05EBE0DE929EEB7B5AF54305F245565E802B71A2EB34AF0DCB60
                                                          Function 00ECED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                          • String ID:
                                                          • API String ID: 1737998785-0
                                                          • Opcode ID: 76642edf3c08659fb5a8cee32346ce1888032dec6f13cabc7b095bde3529ddbf
                                                          • Instruction ID: 0cab747067e4a6387d9e87f9c10d75be8e27f2a777e286544edbe4f21c87b25c
                                                          • Opcode Fuzzy Hash: 76642edf3c08659fb5a8cee32346ce1888032dec6f13cabc7b095bde3529ddbf
                                                          • Instruction Fuzzy Hash: 56419B31204651AFD720DF25D888F1ABBE1EF44358F24949DE816AF762C736EC46CB90
                                                          Function 00EBE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EB170D
                                                            • Part of subcall function 00EB16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EB173A
                                                            • Part of subcall function 00EB16C3: GetLastError.KERNEL32 ref: 00EB174A
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00EBE932
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                          • String ID: $ $@$SeShutdownPrivilege
                                                          • API String ID: 2234035333-3163812486
                                                          • Opcode ID: e638e7eaa7677ca8d1d5b3aa9a275436581b7f353c2847b2ed0d7ccc8f57b756
                                                          • Instruction ID: f5b5ba814d367954fa32525e25b3598c296bd9484dcc99b50f7de6df257f7eb2
                                                          • Opcode Fuzzy Hash: e638e7eaa7677ca8d1d5b3aa9a275436581b7f353c2847b2ed0d7ccc8f57b756
                                                          • Instruction Fuzzy Hash: E1014933610314AFEB1827F59C86FFF729C9744754F242462FC13F22D1D5A05C488190
                                                          Function 00ED1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00ED1276
                                                          • WSAGetLastError.WSOCK32 ref: 00ED1283
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00ED12BA
                                                          • WSAGetLastError.WSOCK32 ref: 00ED12C5
                                                          • closesocket.WSOCK32(00000000), ref: 00ED12F4
                                                          • listen.WSOCK32(00000000,00000005), ref: 00ED1303
                                                          • WSAGetLastError.WSOCK32 ref: 00ED130D
                                                          • closesocket.WSOCK32(00000000), ref: 00ED133C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                          • String ID:
                                                          • API String ID: 540024437-0
                                                          • Opcode ID: 79af7895912d0092bbe9a59bcf4ebbf64ba8e10aab3e36bedf52db6fdcfb8db5
                                                          • Instruction ID: 76260c0ad9c35b40554f36cbe452a78d7142b76c595c58320c42458ae0c1a01e
                                                          • Opcode Fuzzy Hash: 79af7895912d0092bbe9a59bcf4ebbf64ba8e10aab3e36bedf52db6fdcfb8db5
                                                          • Instruction Fuzzy Hash: FD418231600240AFD714DF64C5C4B29BBE5EF46318F289189E856AF3A2C771ED86CBE1
                                                          Function 00E8B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00E8B9D4
                                                          • _free.LIBCMT ref: 00E8B9F8
                                                          • _free.LIBCMT ref: 00E8BB7F
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EF3700), ref: 00E8BB91
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00F2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E8BC09
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00F21270,000000FF,?,0000003F,00000000,?), ref: 00E8BC36
                                                          • _free.LIBCMT ref: 00E8BD4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: 5685d2a7488798d0ba8edbaa59bace35fa39f91312d70d9a2b20ab5ec625d536
                                                          • Instruction ID: 983c862a6420ac2272fe5b01d025872371324ab3a8d6f94829e071e1c8045e06
                                                          • Opcode Fuzzy Hash: 5685d2a7488798d0ba8edbaa59bace35fa39f91312d70d9a2b20ab5ec625d536
                                                          • Instruction Fuzzy Hash: 13C12771904209AFDB24BF688C41BAEBBF8EF51314F1461AAE49CFB291E7309E41D750
                                                          Function 00EBD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E53A97,?,?,00E52E7F,?,?,?,00000000), ref: 00E53AC2
                                                            • Part of subcall function 00EBE199: GetFileAttributesW.KERNEL32(?,00EBCF95), ref: 00EBE19A
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EBD420
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00EBD470
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EBD481
                                                          • FindClose.KERNEL32(00000000), ref: 00EBD498
                                                          • FindClose.KERNEL32(00000000), ref: 00EBD4A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: d9e42c69975c97d0930855ff43635853cfbf55e15a81b7011c02e438f8d2409a
                                                          • Instruction ID: b4d9928198f8955b18104d788dc5253621606566fdebdf3238818619d27d3f09
                                                          • Opcode Fuzzy Hash: d9e42c69975c97d0930855ff43635853cfbf55e15a81b7011c02e438f8d2409a
                                                          • Instruction Fuzzy Hash: 8D314F7100C3859FC204EF64D8918EF77E8AE95315F446E2DF9E5A31A1EB20AA0D8763
                                                          Function 00E8E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: 7b2ecedf697d8432a4a2b4558ebb1e1165ecc9a892d1e4b773916ec0f28af21d
                                                          • Instruction ID: 78e2ff13e6c88eea26bcdb7863153ac8cd327e0ab95fd57f7b09a4e230449731
                                                          • Opcode Fuzzy Hash: 7b2ecedf697d8432a4a2b4558ebb1e1165ecc9a892d1e4b773916ec0f28af21d
                                                          • Instruction Fuzzy Hash: B9C22971E086288FDB29EE28DD407EAB7B5EB88305F1451EAD44DF7241E775AE818F40
                                                          Function 00EC648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00EC64DC
                                                          • CoInitialize.OLE32(00000000), ref: 00EC6639
                                                          • CoCreateInstance.OLE32(00EEFCF8,00000000,00000001,00EEFB68,?), ref: 00EC6650
                                                          • CoUninitialize.OLE32 ref: 00EC68D4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 886957087-24824748
                                                          • Opcode ID: d73261459bf368c09b34c3c05308ea8f5fd480c8e4a49344a426889abddb2499
                                                          • Instruction ID: f8024bccde8d3a2e04f2ae79f63dd73e3378dfa14bd8f7085afd741727c5bd09
                                                          • Opcode Fuzzy Hash: d73261459bf368c09b34c3c05308ea8f5fd480c8e4a49344a426889abddb2499
                                                          • Instruction Fuzzy Hash: ECD16B716083019FC304DF24C991EABB7E8FF94305F10596DF595AB292DB31E90ACBA2
                                                          Function 00ED22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 00ED22E8
                                                            • Part of subcall function 00ECE4EC: GetWindowRect.USER32(?,?), ref: 00ECE504
                                                          • GetDesktopWindow.USER32 ref: 00ED2312
                                                          • GetWindowRect.USER32(00000000), ref: 00ED2319
                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00ED2355
                                                          • GetCursorPos.USER32(?), ref: 00ED2381
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00ED23DF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                          • String ID:
                                                          • API String ID: 2387181109-0
                                                          • Opcode ID: a78828bdfed803e3972ba81141864555c4f0cac78ecfd5b1e120137c7eae02d8
                                                          • Instruction ID: d427b303ad15ae32afafd50d80287ddae2c4e27233ee72fd2c32146a54af6322
                                                          • Opcode Fuzzy Hash: a78828bdfed803e3972ba81141864555c4f0cac78ecfd5b1e120137c7eae02d8
                                                          • Instruction Fuzzy Hash: C431EF72104356AFCB20DF15C844B9BB7E9FF84314F10191EFA94AB281DB34E90ACB92
                                                          Function 00EC9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EC9B78
                                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EC9C8B
                                                            • Part of subcall function 00EC3874: GetInputState.USER32 ref: 00EC38CB
                                                            • Part of subcall function 00EC3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EC3966
                                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EC9BA8
                                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EC9C75
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                          • String ID: *.*
                                                          • API String ID: 1972594611-438819550
                                                          • Opcode ID: d28420744aab2b9485337a4be03b219b712da1c60abf335f3ca15b6e45233f0c
                                                          • Instruction ID: 3466857e0075808b1b841575790127617d59f75f5e3d5942f290cfca2d28e5cc
                                                          • Opcode Fuzzy Hash: d28420744aab2b9485337a4be03b219b712da1c60abf335f3ca15b6e45233f0c
                                                          • Instruction Fuzzy Hash: 93417F7190420AAFCF14DF64C989FEEBBF4EF05305F245459E805B2192DB319E89CB64
                                                          Function 00E6997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E69A4E
                                                          • GetSysColor.USER32(0000000F), ref: 00E69B23
                                                          • SetBkColor.GDI32(?,00000000), ref: 00E69B36
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Color$LongProcWindow
                                                          • String ID:
                                                          • API String ID: 3131106179-0
                                                          • Opcode ID: 8990bda23832b3503666030a14734e1dd869082c1007ad6bc060a0f1ad792904
                                                          • Instruction ID: 596b1f007ce220df0dbc43e581946cfb8609f127d28e5a0fd1fb67d3f54a9ee6
                                                          • Opcode Fuzzy Hash: 8990bda23832b3503666030a14734e1dd869082c1007ad6bc060a0f1ad792904
                                                          • Instruction Fuzzy Hash: 37A15B70148448AEE734DA7DAC98EBB36DDEB87388B14311AF042FB593CA35AD01D675
                                                          Function 00ED1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00ED304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00ED307A
                                                            • Part of subcall function 00ED304E: _wcslen.LIBCMT ref: 00ED309B
                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00ED185D
                                                          • WSAGetLastError.WSOCK32 ref: 00ED1884
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00ED18DB
                                                          • WSAGetLastError.WSOCK32 ref: 00ED18E6
                                                          • closesocket.WSOCK32(00000000), ref: 00ED1915
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 1601658205-0
                                                          • Opcode ID: 43b27db6b3d08a99e4e9f11a2ade85df4892472a968954c23c20ba7c4d6d3650
                                                          • Instruction ID: 3af708d5da71749d26a495e2258493d241bad7ec978234d366d1c14ba6c92cd5
                                                          • Opcode Fuzzy Hash: 43b27db6b3d08a99e4e9f11a2ade85df4892472a968954c23c20ba7c4d6d3650
                                                          • Instruction Fuzzy Hash: EB51E074A00210AFDB14EF24C886F2A77E5EB84318F189488F9157F3D3CA70AD428BA1
                                                          Function 00EE1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: befe264aa7797c68c4506f03b3d0535a5144a5e6e7eb627e9cc43aa5f15ade90
                                                          • Instruction ID: deb91a9cd8be3f502839b9f2a9810a5fc3c5f515490a3839517c8b5d9e87d983
                                                          • Opcode Fuzzy Hash: befe264aa7797c68c4506f03b3d0535a5144a5e6e7eb627e9cc43aa5f15ade90
                                                          • Instruction Fuzzy Hash: 1E21D8317402895FD7248F17C884B56BBD5EF85319B29A49CE845EB351C771DC86CB90
                                                          Function 00E58060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                          • API String ID: 0-1546025612
                                                          • Opcode ID: 298dc2fc9ac5d919c41ca8395de9f57178506be701be7e25d5278b727e205ecf
                                                          • Instruction ID: 005af83ad8158112a3100183c6e23eda4bc43e8893dde156a7e19960de54c960
                                                          • Opcode Fuzzy Hash: 298dc2fc9ac5d919c41ca8395de9f57178506be701be7e25d5278b727e205ecf
                                                          • Instruction Fuzzy Hash: 81A28E71A0061ACBDF24CF58CA407EEB7B1BF54319F2495AAEC15B7284EB709D85CB90
                                                          Function 00EBAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EBAAAC
                                                          • SetKeyboardState.USER32(00000080), ref: 00EBAAC8
                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EBAB36
                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EBAB88
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: c60b57a70434f641c3a59bfbe365bbfe127c9cae687179f42bef4c0f03af744d
                                                          • Instruction ID: c9272177fb3973e75209b9a93336472583a7ea872a162ac7d7aec7df7496a66b
                                                          • Opcode Fuzzy Hash: c60b57a70434f641c3a59bfbe365bbfe127c9cae687179f42bef4c0f03af744d
                                                          • Instruction Fuzzy Hash: 3E312430A40248AEFF358B658C85BFB7BE6AB44314F1C622AF1A1B61D1D3748985C762
                                                          Function 00ECCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00ECCE89
                                                          • GetLastError.KERNEL32(?,00000000), ref: 00ECCEEA
                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 00ECCEFE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorEventFileInternetLastRead
                                                          • String ID:
                                                          • API String ID: 234945975-0
                                                          • Opcode ID: 6c840ff1b82fa89079a2fd6e2ada9be26bd82fa1dad05896292e45f40bdcb8a1
                                                          • Instruction ID: 2eb15e516f8108f88a16baff273f6bb37330f8782b1845fcf7302668732a2077
                                                          • Opcode Fuzzy Hash: 6c840ff1b82fa89079a2fd6e2ada9be26bd82fa1dad05896292e45f40bdcb8a1
                                                          • Instruction Fuzzy Hash: 9B21BD71A007059FD720DFA5CA88FAA77F8EB01318F20941EE64AF6151E771EE4A8B50
                                                          Function 00EB8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EB82AA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: ($|
                                                          • API String ID: 1659193697-1631851259
                                                          • Opcode ID: dcdf3d8248cd40496af7ce0be13265210ee7b357403b0088a7b2131a7c0aa9ed
                                                          • Instruction ID: 3aa7c572110ef9047a4c85ed8dfc26201ee8916a800e3cfeaf26ee5f9dff4a07
                                                          • Opcode Fuzzy Hash: dcdf3d8248cd40496af7ce0be13265210ee7b357403b0088a7b2131a7c0aa9ed
                                                          • Instruction Fuzzy Hash: 62324674A00605DFCB28CF19C180AAAB7F4FF48714B15D56EE49AEB3A1EB70E941CB40
                                                          Function 00EC5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EC5CC1
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EC5D17
                                                          • FindClose.KERNEL32(?), ref: 00EC5D5F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 3541575487-0
                                                          • Opcode ID: c4b0763cbabf7059410bd775d5ea14c9ff9b5ae8897ec128cbc5f809bebef455
                                                          • Instruction ID: 006d09a4ced3d8a4d93da91130a63442f6678dd58b946bda94d38d69a4f56fc2
                                                          • Opcode Fuzzy Hash: c4b0763cbabf7059410bd775d5ea14c9ff9b5ae8897ec128cbc5f809bebef455
                                                          • Instruction Fuzzy Hash: 7F519935604B019FC704CF28C494E9ABBE4FF49314F14955DE95A9B3A2CB31F845CB91
                                                          Function 00E82622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32 ref: 00E8271A
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E82724
                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00E82731
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: 6625c9f1c62bcdc452c013bcfadc12624dce31f2adc339acb65871e1069d3bd9
                                                          • Instruction ID: 64eaafb91f22f9ae90785d747743daefaa204b325a0d1f62c09737e18bb9489d
                                                          • Opcode Fuzzy Hash: 6625c9f1c62bcdc452c013bcfadc12624dce31f2adc339acb65871e1069d3bd9
                                                          • Instruction Fuzzy Hash: 5731C27490121CABCB21DF69DD88798BBB8AF08310F5091EAE91CA6260E7309F858F44
                                                          Function 00EC51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EC51DA
                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EC5238
                                                          • SetErrorMode.KERNEL32(00000000), ref: 00EC52A1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DiskFreeSpace
                                                          • String ID:
                                                          • API String ID: 1682464887-0
                                                          • Opcode ID: 067b2234da4800a9a0d4ffb2368b7ece5ca97db3691fd1b6ec7729d011e115b7
                                                          • Instruction ID: 108ce6a470de2043c5e6c9a694ee24a91e747f16f4b3e863365094ddec396cec
                                                          • Opcode Fuzzy Hash: 067b2234da4800a9a0d4ffb2368b7ece5ca97db3691fd1b6ec7729d011e115b7
                                                          • Instruction Fuzzy Hash: AE314D75A00618DFDB00DF54D884EADBBF4FF48318F189499E805AB362DB32E85ACB50
                                                          Function 00EB16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E6FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E70668
                                                            • Part of subcall function 00E6FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E70685
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EB170D
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EB173A
                                                          • GetLastError.KERNEL32 ref: 00EB174A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                          • String ID:
                                                          • API String ID: 577356006-0
                                                          • Opcode ID: 6ab1e487a219c32b2d09da8932167c2cfb15d4aa29fb39fe322749431a5da5f5
                                                          • Instruction ID: c92dbb2d449fd9da834f43f66941e635ec0df95ae12484c410360411f4b4049a
                                                          • Opcode Fuzzy Hash: 6ab1e487a219c32b2d09da8932167c2cfb15d4aa29fb39fe322749431a5da5f5
                                                          • Instruction Fuzzy Hash: 7A11C1B2400308AFD7189F54ECC6EABB7FDEB05764B20856EF05667241EB70BC428B60
                                                          Function 00EBD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EBD608
                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EBD645
                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EBD650
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                          • String ID:
                                                          • API String ID: 33631002-0
                                                          • Opcode ID: c1f51982d7d5f89c29ed3cf177844e9bfcd8260c991646313c92084c118e9fd2
                                                          • Instruction ID: 8f0d0b0558bc84e085cb2c85258ab013f41dcade0aa66359da4820fc2a4f0610
                                                          • Opcode Fuzzy Hash: c1f51982d7d5f89c29ed3cf177844e9bfcd8260c991646313c92084c118e9fd2
                                                          • Instruction Fuzzy Hash: 39112AB5A05228BFDB108B95AC85BEFBBBCEB45B50F108155F904F7294D6704A058BA1
                                                          Function 00EB1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EB168C
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EB16A1
                                                          • FreeSid.ADVAPI32(?), ref: 00EB16B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: 54024dca749e602ae528b8eca89efa8b0375d484e6fe943877176ac3224d6c6f
                                                          • Instruction ID: 522a4c8c38597a42df9d9b020a74ed14d16125c4370693852a9e59aabf97132c
                                                          • Opcode Fuzzy Hash: 54024dca749e602ae528b8eca89efa8b0375d484e6fe943877176ac3224d6c6f
                                                          • Instruction Fuzzy Hash: 6DF0F47195030DFFDB00DFE59C89AAEBBBCEB08604F5045A5E501E6181E774AA489A50
                                                          Function 00E8C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /
                                                          • API String ID: 0-2043925204
                                                          • Opcode ID: 197a429e9022079db8f2cd200fb570aeca9470f2f91634cbee3811577dbf530e
                                                          • Instruction ID: cc0715b98ecd15972efe7af71b7e94494ce9215aeea4346307e206c47932050e
                                                          • Opcode Fuzzy Hash: 197a429e9022079db8f2cd200fb570aeca9470f2f91634cbee3811577dbf530e
                                                          • Instruction Fuzzy Hash: 8F415C72500619AFCB20AFB9DC48DBB77B8EB85318F2041ADF90DE7180E6309D81CB60
                                                          Function 00EAD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00EAD28C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID: X64
                                                          • API String ID: 2645101109-893830106
                                                          • Opcode ID: 1d76757a0cd34bc0cc06c91e21039f7d60c5ef32a31ee19bad049a0e0baa8e4d
                                                          • Instruction ID: 66b44c45f04c58ba457740eff910440a92d12c82abaaccab33c0071e48f04ca4
                                                          • Opcode Fuzzy Hash: 1d76757a0cd34bc0cc06c91e21039f7d60c5ef32a31ee19bad049a0e0baa8e4d
                                                          • Instruction Fuzzy Hash: 33D0C9B480511DEECB90DB90ECC8DD9B37CBB14345F100151F506B2010D73095498F20
                                                          Function 00E7CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                          • Instruction ID: eef50520199ba812a7269597768fe2fd90679d0c2db1f0f54b639670e20e43f6
                                                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                          • Instruction Fuzzy Hash: F3021A71E002199BDF28CFA9D8806ADFBF5EF48314F25916ED919B7284D730AA41CB84
                                                          Function 00EC68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EC6918
                                                          • FindClose.KERNEL32(00000000), ref: 00EC6961
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 5f89b6b2d79942415a978583ba1d2c9b1863944da04f656b590d97862120896d
                                                          • Instruction ID: 5a2d42895fb93a385ea4150b0c7c73649b2b21607aad9118730124fa0c0fc95c
                                                          • Opcode Fuzzy Hash: 5f89b6b2d79942415a978583ba1d2c9b1863944da04f656b590d97862120896d
                                                          • Instruction Fuzzy Hash: 9211BE316046009FC710CF29D885E16BBE1EF88329F14C69DF8699F2A2C731EC0ACB90
                                                          Function 00EC37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00ED4891,?,?,00000035,?), ref: 00EC37E4
                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00ED4891,?,?,00000035,?), ref: 00EC37F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID:
                                                          • API String ID: 3479602957-0
                                                          • Opcode ID: 0ac6aa595dab43cb75e933c5185340e9032c9e49ada7c33bb77ba79128994357
                                                          • Instruction ID: 18214fbca77aeec34a7ffa83b3840404f127e058bd3cf8ebbc3cf08ab7874c4d
                                                          • Opcode Fuzzy Hash: 0ac6aa595dab43cb75e933c5185340e9032c9e49ada7c33bb77ba79128994357
                                                          • Instruction Fuzzy Hash: 2FF0E5B17043296EEB2017B68D8DFEB7AAEEFC5761F100166F509F2291D9609909C6B0
                                                          Function 00EBB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EBB25D
                                                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00EBB270
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: InputSendkeybd_event
                                                          • String ID:
                                                          • API String ID: 3536248340-0
                                                          • Opcode ID: d15606d81cc213e570a6ee09d87680ce9174ba114baa73f5b562490efcee42d5
                                                          • Instruction ID: 14d5b3112cc07938dc8de99cb3d48288db298dd9b323dc04831649412ccc9a16
                                                          • Opcode Fuzzy Hash: d15606d81cc213e570a6ee09d87680ce9174ba114baa73f5b562490efcee42d5
                                                          • Instruction Fuzzy Hash: 09F01D7180428DAFDB059FA1C805BEE7BB4FF08309F10900AF965A91A1C379C6159F94
                                                          Function 00EB10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EB11FC), ref: 00EB10D4
                                                          • CloseHandle.KERNEL32(?,?,00EB11FC), ref: 00EB10E9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                          • String ID:
                                                          • API String ID: 81990902-0
                                                          • Opcode ID: 77f11643d1a0b61b6ca292643f03fec05d5a72796efb998ad106b89832ac6d22
                                                          • Instruction ID: fe2c4f57e193b32375883dac982e97fae8a24d1e3f73c4bb858f0344c9f6f711
                                                          • Opcode Fuzzy Hash: 77f11643d1a0b61b6ca292643f03fec05d5a72796efb998ad106b89832ac6d22
                                                          • Instruction Fuzzy Hash: 1CE04F32048600AEE7252B11FC09E737BE9EB04320F20882EF4A5944B1DB626C91DB10
                                                          Function 00E5CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Variable is not of type 'Object'., xrefs: 00EA0C40
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Variable is not of type 'Object'.
                                                          • API String ID: 0-1840281001
                                                          • Opcode ID: 20cbf7bfd62bff979a69b42a001dff8aa2c5e8fa3f83308a97ca7ec1e0a8da72
                                                          • Instruction ID: 010ddbd06e8c7ff0b4400f1837d811f8171aae4b4ac29cf3b108413a5b7d7639
                                                          • Opcode Fuzzy Hash: 20cbf7bfd62bff979a69b42a001dff8aa2c5e8fa3f83308a97ca7ec1e0a8da72
                                                          • Instruction Fuzzy Hash: B2327D709003189FCF14DF90C891AEDB7F5BF09309F24A859E806BB291DB75AD49CB61
                                                          Function 00E8676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E86766,?,?,00000008,?,?,00E8FEFE,00000000), ref: 00E86998
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: ea0f08656e9f2c39c7ff91d14e2807839de4818271710befb52f807457999b05
                                                          • Instruction ID: 59d3c52daf52ec232c1fe24d876317fdfe35129e83cf81c609b80acc5a845000
                                                          • Opcode Fuzzy Hash: ea0f08656e9f2c39c7ff91d14e2807839de4818271710befb52f807457999b05
                                                          • Instruction Fuzzy Hash: 07B15C31510608DFD719DF28C48ABA57BE0FF45368F259698E89DDF2A2C335D991CB40
                                                          Function 00E6B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 43eb1187af79a5ac415ff698103f745655423cde2a4b9e41ba0d1b8de99b2b34
                                                          • Instruction ID: 47e2a17401b5b5e8f4aac218fc7bad1cee9034cd153c80e6b9c9ce13a8164935
                                                          • Opcode Fuzzy Hash: 43eb1187af79a5ac415ff698103f745655423cde2a4b9e41ba0d1b8de99b2b34
                                                          • Instruction Fuzzy Hash: B6125071D002299BCB24CF58D9806EEB7F5FF48710F1491AAE859FB255EB309E85CB90
                                                          Function 00ECEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 00ECEABD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: 690c0494e3d6518c583098a9dee7aba9c970b568af8281ec976c3815b47a8f6c
                                                          • Instruction ID: 5576ebda30d3588b2498a5c941ce5e3d137c7226ad9951c750f5913d42e861d3
                                                          • Opcode Fuzzy Hash: 690c0494e3d6518c583098a9dee7aba9c970b568af8281ec976c3815b47a8f6c
                                                          • Instruction Fuzzy Hash: 3CE04F312002049FC710EF6AD844E9AF7EDAF987A0F10941AFC49EB351DB71E8458BA0
                                                          Function 00E709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E703EE), ref: 00E709DA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 6fbadebfdbc4d3e83cc38498297941364c20973d8e42a4645ff5fe2f9289d972
                                                          • Instruction ID: ee06ace410c53cc56a991123ed557134f66e0cfb28374b877f4d4a00fc3301e8
                                                          • Opcode Fuzzy Hash: 6fbadebfdbc4d3e83cc38498297941364c20973d8e42a4645ff5fe2f9289d972
                                                          • Instruction Fuzzy Hash:
                                                          Function 00E7781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                          • Instruction ID: b3546ebcb2bf917d7c79445c8e264985cdf9cc9be94e35a3ddce89c56d192c13
                                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                          • Instruction Fuzzy Hash: 5351522160C715AAFB3C8568C95E7BE63D58B92308F18F919D9CEF7282C611DE42D393
                                                          Function 00E86DD9 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ffe143bb4f700c44848a3332421e2ef88a388912d3000d9c21ddb094cd0252dd
                                                          • Instruction ID: 93c643ae4fe275183c0ce7bd8259c8ea33a86e55c2470057c1dc3da87d2e2b2b
                                                          • Opcode Fuzzy Hash: ffe143bb4f700c44848a3332421e2ef88a388912d3000d9c21ddb094cd0252dd
                                                          • Instruction Fuzzy Hash: 8C322722D29F014DD723A635DC22335A649AFF73C5F25D737E85EB59A5EB29C4838200
                                                          Function 00E6CC39 Relevance: .6, Instructions: 635COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd5ce7a1b2486e396ee5b1527e116bfb0ac317452effcc03f8e5621c68685397
                                                          • Instruction ID: 0f20a873e68910db6b45ac776c50048e53729b268a5f1255745614246993e2b8
                                                          • Opcode Fuzzy Hash: cd5ce7a1b2486e396ee5b1527e116bfb0ac317452effcc03f8e5621c68685397
                                                          • Instruction Fuzzy Hash: 79323931A401158BCF28CF28D4906BDB7A1EF4E358F39A566D49ABF291D230FD81DB51
                                                          Function 00E57920 Relevance: .6, Instructions: 563COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 728b606f8a3735c1eed7854e105e8f16af38a2f631d0d29739bc405d5cc73625
                                                          • Instruction ID: 71b594a9f5e794ec2d9dba674ff63a602eb4db0e0e60b912297d49ba7288d4c8
                                                          • Opcode Fuzzy Hash: 728b606f8a3735c1eed7854e105e8f16af38a2f631d0d29739bc405d5cc73625
                                                          • Instruction Fuzzy Hash: 1E22BEB1A00609DFDF14CF64D881AEEB7F6FF44304F106A29E856B7291EB36A954CB50
                                                          Function 00E591C0 Relevance: .5, Instructions: 475COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2dc7c1d67ecfe65648e527df90609485d073f29fb139314a980a3a5b5338fa0
                                                          • Instruction ID: 48ad7c1ab9b381303a90b35f3593fd62d9f9643b55a0907ef230889d8900d649
                                                          • Opcode Fuzzy Hash: a2dc7c1d67ecfe65648e527df90609485d073f29fb139314a980a3a5b5338fa0
                                                          • Instruction Fuzzy Hash: FD02B5B0A00209EBCF04DF64D881AEDBBF5FF44344F119569E916BB391EB31AA54CB91
                                                          Function 00E89EEE Relevance: .3, Instructions: 294COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4aabce4bbad1404028bee1fd66dc21d1d8cbb447257bc8845461581025a34de7
                                                          • Instruction ID: b530ce50fcbcefe63b2deb933e7e8062a21c7af7f65f9996213fcfeecebfbfab
                                                          • Opcode Fuzzy Hash: 4aabce4bbad1404028bee1fd66dc21d1d8cbb447257bc8845461581025a34de7
                                                          • Instruction Fuzzy Hash: EBB1F420D2AF414DD723A63A8831336B65CAFFB6D5F51D71BFC2A74D62EB2186878140
                                                          Function 00E71C77 Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                          • Instruction ID: 8cb91547fdeb883e0700b15304d735d4cba0eeaf916d6b70084c73b6dc225959
                                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                          • Instruction Fuzzy Hash: E291AB322082E349DB2D863D853507DFFE19A923A631A57DED4FAEB1C1FE20C954D620
                                                          Function 00E719B0 Relevance: .2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                          • Instruction ID: fed2eecf0c41a6098a888e622165796c1eccf18bd2d8a31a42fbdbd2e0ec93da
                                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                          • Instruction Fuzzy Hash: 7591D7722092E34EDB2D427E847407DFFE14A923A531AA7DDD4FAEA1C1FE14C654D620
                                                          Function 00E77A4A Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24ad621ed50835332725d019f5aab272fa96203192c0a72728485229968859d1
                                                          • Instruction ID: d45f5ed80b6d16788f7116ee8ab4f5a91a2cdb68648d853c82de049e6eca6cf3
                                                          • Opcode Fuzzy Hash: 24ad621ed50835332725d019f5aab272fa96203192c0a72728485229968859d1
                                                          • Instruction Fuzzy Hash: 24619930348709A6EE389A288D95BFE63D6DF45308F10F91AE8CEFB281D6119E42C755
                                                          Function 00E77CA7 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21e485374d6d76ee6470356141848cbcc85f06a3a2bb995d7b0d5930cf3f8044
                                                          • Instruction ID: 79547b639f5e0f26be568fa597fc31452d4ef89ae00016c9b71de2dbaef521fa
                                                          • Opcode Fuzzy Hash: 21e485374d6d76ee6470356141848cbcc85f06a3a2bb995d7b0d5930cf3f8044
                                                          • Instruction Fuzzy Hash: A761673124870962DA384A685955BBF2394DF5370CF10F85DEACEFB281EA12AD42C355
                                                          Function 00E71706 Relevance: .2, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                          • Instruction ID: 38c9f696ef88be06102668c21ce634e73d1b151958ad46749b46d6eaeb00cb2b
                                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                          • Instruction Fuzzy Hash: 0D8197325081E309EB2D863D853407EFFE15A923A531A97DED4FAEB1C1EE24C555E620
                                                          Function 00EC2046 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f9ae970731b25a7f7f636daaf81b107e1911b79b0b18caf9df6461ef1657ac5
                                                          • Instruction ID: 944c36aefd7c5dafad509c4a386e47ef21302805c073dec9a33a7c16e90cf191
                                                          • Opcode Fuzzy Hash: 0f9ae970731b25a7f7f636daaf81b107e1911b79b0b18caf9df6461ef1657ac5
                                                          • Instruction Fuzzy Hash: 7A2127327206158BDB28CF79C92367E73E5A754310F14862EE4A7D33C0DE3AA905DB80
                                                          Function 00E6D073 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 609d07b80a9732a13545a3985bdac3ef251c4adf8f903ade6ec6bdfc6ab6b6a9
                                                          • Instruction ID: 612a481d528207501446a6be663935670a6174e5f083aac01ce1dd6f2bb93ca0
                                                          • Opcode Fuzzy Hash: 609d07b80a9732a13545a3985bdac3ef251c4adf8f903ade6ec6bdfc6ab6b6a9
                                                          • Instruction Fuzzy Hash: 1EF0D54200CEDA7BDB938621ACBB1947F73CCD7420228878B848406B8B87ED141DC353
                                                          Function 00ED2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00ED2B30
                                                          • DeleteObject.GDI32(00000000), ref: 00ED2B43
                                                          • DestroyWindow.USER32 ref: 00ED2B52
                                                          • GetDesktopWindow.USER32 ref: 00ED2B6D
                                                          • GetWindowRect.USER32(00000000), ref: 00ED2B74
                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00ED2CA3
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00ED2CB1
                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2CF8
                                                          • GetClientRect.USER32(00000000,?), ref: 00ED2D04
                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00ED2D40
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2D62
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2D75
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2D80
                                                          • GlobalLock.KERNEL32(00000000), ref: 00ED2D89
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2D98
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00ED2DA1
                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2DA8
                                                          • GlobalFree.KERNEL32(00000000), ref: 00ED2DB3
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2DC5
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00EEFC38,00000000), ref: 00ED2DDB
                                                          • GlobalFree.KERNEL32(00000000), ref: 00ED2DEB
                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00ED2E11
                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00ED2E30
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED2E52
                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED303F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                          • API String ID: 2211948467-2373415609
                                                          • Opcode ID: 67d68ca2eddf28a605136815f2d120a125e1d355e5bc4a106074cac621b7c4fd
                                                          • Instruction ID: 6b09d378f2eb6422b6a99a26aa2b73cc8e40fa1affa9cabea786358a630a7539
                                                          • Opcode Fuzzy Hash: 67d68ca2eddf28a605136815f2d120a125e1d355e5bc4a106074cac621b7c4fd
                                                          • Instruction Fuzzy Hash: 51028C71A00209AFDB14DF65CC89EAE7BBAFF48711F108519F915BB2A1D770AD06CB60
                                                          Function 00EE70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTextColor.GDI32(?,00000000), ref: 00EE712F
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00EE7160
                                                          • GetSysColor.USER32(0000000F), ref: 00EE716C
                                                          • SetBkColor.GDI32(?,000000FF), ref: 00EE7186
                                                          • SelectObject.GDI32(?,?), ref: 00EE7195
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00EE71C0
                                                          • GetSysColor.USER32(00000010), ref: 00EE71C8
                                                          • CreateSolidBrush.GDI32(00000000), ref: 00EE71CF
                                                          • FrameRect.USER32(?,?,00000000), ref: 00EE71DE
                                                          • DeleteObject.GDI32(00000000), ref: 00EE71E5
                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00EE7230
                                                          • FillRect.USER32(?,?,?), ref: 00EE7262
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE7284
                                                            • Part of subcall function 00EE73E8: GetSysColor.USER32(00000012), ref: 00EE7421
                                                            • Part of subcall function 00EE73E8: SetTextColor.GDI32(?,?), ref: 00EE7425
                                                            • Part of subcall function 00EE73E8: GetSysColorBrush.USER32(0000000F), ref: 00EE743B
                                                            • Part of subcall function 00EE73E8: GetSysColor.USER32(0000000F), ref: 00EE7446
                                                            • Part of subcall function 00EE73E8: GetSysColor.USER32(00000011), ref: 00EE7463
                                                            • Part of subcall function 00EE73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EE7471
                                                            • Part of subcall function 00EE73E8: SelectObject.GDI32(?,00000000), ref: 00EE7482
                                                            • Part of subcall function 00EE73E8: SetBkColor.GDI32(?,00000000), ref: 00EE748B
                                                            • Part of subcall function 00EE73E8: SelectObject.GDI32(?,?), ref: 00EE7498
                                                            • Part of subcall function 00EE73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00EE74B7
                                                            • Part of subcall function 00EE73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EE74CE
                                                            • Part of subcall function 00EE73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00EE74DB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                          • String ID:
                                                          • API String ID: 4124339563-0
                                                          • Opcode ID: 8c003ba029a64b4405d98b5b3e1baea7b55be3f397821095590ae362082234dc
                                                          • Instruction ID: df23e688cf9363242d2026af5b91a83d644668ad92562b0bce47b5ddda3ebd90
                                                          • Opcode Fuzzy Hash: 8c003ba029a64b4405d98b5b3e1baea7b55be3f397821095590ae362082234dc
                                                          • Instruction Fuzzy Hash: F6A1B472009349AFD7009F61DC88E5B7BB9FF48320F201A19FAA2AA1E1D731D949DB51
                                                          Function 00E68D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?), ref: 00E68E14
                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00EA6AC5
                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EA6AFE
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EA6F43
                                                            • Part of subcall function 00E68F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E68BE8,?,00000000,?,?,?,?,00E68BBA,00000000,?), ref: 00E68FC5
                                                          • SendMessageW.USER32(?,00001053), ref: 00EA6F7F
                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EA6F96
                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00EA6FAC
                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00EA6FB7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                          • String ID: 0
                                                          • API String ID: 2760611726-4108050209
                                                          • Opcode ID: 68b2c96e56d2c823c1279a648394311a2f3b45d352a4819f1d5e259e0d5fa2d1
                                                          • Instruction ID: d08dcd7e7eedd1ddef7427a72c665faeb869c83a5cd499d287963ee314973459
                                                          • Opcode Fuzzy Hash: 68b2c96e56d2c823c1279a648394311a2f3b45d352a4819f1d5e259e0d5fa2d1
                                                          • Instruction Fuzzy Hash: FA12CD34200241DFDB21CF24D988BA6B7E1FB5B304F18A569F485AF261CB32BC96DB51
                                                          Function 00ED2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000), ref: 00ED273E
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00ED286A
                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00ED28A9
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00ED28B9
                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00ED2900
                                                          • GetClientRect.USER32(00000000,?), ref: 00ED290C
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00ED2955
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00ED2964
                                                          • GetStockObject.GDI32(00000011), ref: 00ED2974
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00ED2978
                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00ED2988
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED2991
                                                          • DeleteDC.GDI32(00000000), ref: 00ED299A
                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00ED29C6
                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00ED29DD
                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00ED2A1D
                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00ED2A31
                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00ED2A42
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00ED2A77
                                                          • GetStockObject.GDI32(00000011), ref: 00ED2A82
                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00ED2A8D
                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00ED2A97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                          • API String ID: 2910397461-517079104
                                                          • Opcode ID: ab2620bb63c3301e58f139b92b37cf480fb63dd763df453a001a20633ad7072f
                                                          • Instruction ID: 5db00fdba6f8c55a14b6319c8269ea129442c0e9395a9676651d51910af77628
                                                          • Opcode Fuzzy Hash: ab2620bb63c3301e58f139b92b37cf480fb63dd763df453a001a20633ad7072f
                                                          • Instruction Fuzzy Hash: 2DB16D71A00209AFEB24DF69DC85FAE7BB9FB08711F104519FA14EB290D770AD46CB54
                                                          Function 00EC4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EC4AED
                                                          • GetDriveTypeW.KERNEL32(?,00EECB68,?,\\.\,00EECC08), ref: 00EC4BCA
                                                          • SetErrorMode.KERNEL32(00000000,00EECB68,?,\\.\,00EECC08), ref: 00EC4D36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                          • API String ID: 2907320926-4222207086
                                                          • Opcode ID: 52c69d92d10aad96543ded594de126de9eaf3967324829d23332b7be5d21a5e8
                                                          • Instruction ID: 8e278ec6f22796c03c59d2520137bdf1b3ecd1f7839d243061001360c806f39a
                                                          • Opcode Fuzzy Hash: 52c69d92d10aad96543ded594de126de9eaf3967324829d23332b7be5d21a5e8
                                                          • Instruction Fuzzy Hash: CC61C5B16051059BEB04DF14DBA1FE9B7B0AB04305B20641DF806FB2E2DA33DD86EB42
                                                          Function 00EE73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000012), ref: 00EE7421
                                                          • SetTextColor.GDI32(?,?), ref: 00EE7425
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00EE743B
                                                          • GetSysColor.USER32(0000000F), ref: 00EE7446
                                                          • CreateSolidBrush.GDI32(?), ref: 00EE744B
                                                          • GetSysColor.USER32(00000011), ref: 00EE7463
                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EE7471
                                                          • SelectObject.GDI32(?,00000000), ref: 00EE7482
                                                          • SetBkColor.GDI32(?,00000000), ref: 00EE748B
                                                          • SelectObject.GDI32(?,?), ref: 00EE7498
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00EE74B7
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EE74CE
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00EE74DB
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EE752A
                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EE7554
                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00EE7572
                                                          • DrawFocusRect.USER32(?,?), ref: 00EE757D
                                                          • GetSysColor.USER32(00000011), ref: 00EE758E
                                                          • SetTextColor.GDI32(?,00000000), ref: 00EE7596
                                                          • DrawTextW.USER32(?,00EE70F5,000000FF,?,00000000), ref: 00EE75A8
                                                          • SelectObject.GDI32(?,?), ref: 00EE75BF
                                                          • DeleteObject.GDI32(?), ref: 00EE75CA
                                                          • SelectObject.GDI32(?,?), ref: 00EE75D0
                                                          • DeleteObject.GDI32(?), ref: 00EE75D5
                                                          • SetTextColor.GDI32(?,?), ref: 00EE75DB
                                                          • SetBkColor.GDI32(?,?), ref: 00EE75E5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1996641542-0
                                                          • Opcode ID: 12b666e2efb7abb3ffc5debeabfc3cdfe0663dc48dba4286519f43edb58f0380
                                                          • Instruction ID: c500fc546cfa3f3a235671d4e6b3ad7aaf124e2c5061683fb7d07b01b87e9245
                                                          • Opcode Fuzzy Hash: 12b666e2efb7abb3ffc5debeabfc3cdfe0663dc48dba4286519f43edb58f0380
                                                          • Instruction Fuzzy Hash: F1616A7290025CAFDB019FA5DC89EEEBFB9EB08320F214125F915BB2A1D7709945DF90
                                                          Function 00EE0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00EE1128
                                                          • GetDesktopWindow.USER32 ref: 00EE113D
                                                          • GetWindowRect.USER32(00000000), ref: 00EE1144
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE1199
                                                          • DestroyWindow.USER32(?), ref: 00EE11B9
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EE11ED
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EE120B
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EE121D
                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00EE1232
                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00EE1245
                                                          • IsWindowVisible.USER32(00000000), ref: 00EE12A1
                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00EE12BC
                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00EE12D0
                                                          • GetWindowRect.USER32(00000000,?), ref: 00EE12E8
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00EE130E
                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00EE1328
                                                          • CopyRect.USER32(?,?), ref: 00EE133F
                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 00EE13AA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                          • String ID: ($0$tooltips_class32
                                                          • API String ID: 698492251-4156429822
                                                          • Opcode ID: 8d7a9a897ec3efa83a9acb11c032b2f2e51ee78b828964945888084b9a65af3e
                                                          • Instruction ID: 31664ff1742f02f65a68563357e63edbf93e64c334c293f4902a21d9fe2ce93e
                                                          • Opcode Fuzzy Hash: 8d7a9a897ec3efa83a9acb11c032b2f2e51ee78b828964945888084b9a65af3e
                                                          • Instruction Fuzzy Hash: 38B1CF71604385AFD704DF65C884B6BBBE5FF88344F00995CF999AB261C731E849CB92
                                                          Function 00EE0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00EE02E5
                                                          • _wcslen.LIBCMT ref: 00EE031F
                                                          • _wcslen.LIBCMT ref: 00EE0389
                                                          • _wcslen.LIBCMT ref: 00EE03F1
                                                          • _wcslen.LIBCMT ref: 00EE0475
                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EE04C5
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EE0504
                                                            • Part of subcall function 00E6F9F2: _wcslen.LIBCMT ref: 00E6F9FD
                                                            • Part of subcall function 00EB223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EB2258
                                                            • Part of subcall function 00EB223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EB228A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                          • API String ID: 1103490817-719923060
                                                          • Opcode ID: e900f5d63d8caeaa334a576d02c23eac6c4e08a3f9718a5949073e5419b3a6a6
                                                          • Instruction ID: 3f4d649dc1962973f1d2d192fde3bbf098f74cf2533fc5d1f2ef9a1d80def7af
                                                          • Opcode Fuzzy Hash: e900f5d63d8caeaa334a576d02c23eac6c4e08a3f9718a5949073e5419b3a6a6
                                                          • Instruction Fuzzy Hash: 12E1C1312083858FC714EF25C55096AB3E6BFC8718B14695CF896BB3A6DB70ED85CB81
                                                          Function 00E68891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E68968
                                                          • GetSystemMetrics.USER32(00000007), ref: 00E68970
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E6899B
                                                          • GetSystemMetrics.USER32(00000008), ref: 00E689A3
                                                          • GetSystemMetrics.USER32(00000004), ref: 00E689C8
                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E689E5
                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E689F5
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E68A28
                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E68A3C
                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00E68A5A
                                                          • GetStockObject.GDI32(00000011), ref: 00E68A76
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E68A81
                                                            • Part of subcall function 00E6912D: GetCursorPos.USER32(?), ref: 00E69141
                                                            • Part of subcall function 00E6912D: ScreenToClient.USER32(00000000,?), ref: 00E6915E
                                                            • Part of subcall function 00E6912D: GetAsyncKeyState.USER32(00000001), ref: 00E69183
                                                            • Part of subcall function 00E6912D: GetAsyncKeyState.USER32(00000002), ref: 00E6919D
                                                          • SetTimer.USER32(00000000,00000000,00000028,00E690FC), ref: 00E68AA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                          • String ID: AutoIt v3 GUI
                                                          • API String ID: 1458621304-248962490
                                                          • Opcode ID: 5fa4fb53fed760738a190d9dfc5a45847d4621af3689f1065f87002012e79850
                                                          • Instruction ID: 07715f98c93e23cae5f17f5ddb66f564c8054b3635ab27e4b4de003e8960b107
                                                          • Opcode Fuzzy Hash: 5fa4fb53fed760738a190d9dfc5a45847d4621af3689f1065f87002012e79850
                                                          • Instruction Fuzzy Hash: 2EB18A71A4020A9FDF14DFA8DD85BAE3BB4FB49354F14522AFA15BB290DB30A841CF54
                                                          Function 00EB0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EB1114
                                                            • Part of subcall function 00EB10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB1120
                                                            • Part of subcall function 00EB10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB112F
                                                            • Part of subcall function 00EB10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB1136
                                                            • Part of subcall function 00EB10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EB114D
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EB0DF5
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EB0E29
                                                          • GetLengthSid.ADVAPI32(?), ref: 00EB0E40
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00EB0E7A
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EB0E96
                                                          • GetLengthSid.ADVAPI32(?), ref: 00EB0EAD
                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EB0EB5
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00EB0EBC
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EB0EDD
                                                          • CopySid.ADVAPI32(00000000), ref: 00EB0EE4
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EB0F13
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EB0F35
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EB0F47
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB0F6E
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0F75
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB0F7E
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0F85
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB0F8E
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0F95
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00EB0FA1
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB0FA8
                                                            • Part of subcall function 00EB1193: GetProcessHeap.KERNEL32(00000008,00EB0BB1,?,00000000,?,00EB0BB1,?), ref: 00EB11A1
                                                            • Part of subcall function 00EB1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EB0BB1,?), ref: 00EB11A8
                                                            • Part of subcall function 00EB1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EB0BB1,?), ref: 00EB11B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                          • String ID:
                                                          • API String ID: 4175595110-0
                                                          • Opcode ID: 39e7c3ae3ed69d972c1094cbec19092dedd0f1dc90f16765d0a5725ba6976ca5
                                                          • Instruction ID: 7bebaf020352923ae19670b87b24258b0ea07b6508b58bf1be78503da0c6b9ab
                                                          • Opcode Fuzzy Hash: 39e7c3ae3ed69d972c1094cbec19092dedd0f1dc90f16765d0a5725ba6976ca5
                                                          • Instruction Fuzzy Hash: E7715C72A0020AAFDF209FA5DC44BEFBBB8BF05314F149155F919BA191D731AA09CB60
                                                          Function 00EDC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EDC4BD
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00EECC08,00000000,?,00000000,?,?), ref: 00EDC544
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EDC5A4
                                                          • _wcslen.LIBCMT ref: 00EDC5F4
                                                          • _wcslen.LIBCMT ref: 00EDC66F
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EDC6B2
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EDC7C1
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EDC84D
                                                          • RegCloseKey.ADVAPI32(?), ref: 00EDC881
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EDC88E
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EDC960
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 9721498-966354055
                                                          • Opcode ID: 56a43fb092b2d373f9ac349b530766bf9dda3dad433e84b5bba6411281a0d6a4
                                                          • Instruction ID: 64fccd9316896a3b1db0f1aefaf83a43684a5f4a8ebfe4bf5bf30c410bfadbea
                                                          • Opcode Fuzzy Hash: 56a43fb092b2d373f9ac349b530766bf9dda3dad433e84b5bba6411281a0d6a4
                                                          • Instruction Fuzzy Hash: 6D126A356042019FCB14DF14D891E2AB7E5EF88765F14985DF88AAB3A2DB31FC46CB81
                                                          Function 00EE091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 00EE09C6
                                                          • _wcslen.LIBCMT ref: 00EE0A01
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EE0A54
                                                          • _wcslen.LIBCMT ref: 00EE0A8A
                                                          • _wcslen.LIBCMT ref: 00EE0B06
                                                          • _wcslen.LIBCMT ref: 00EE0B81
                                                            • Part of subcall function 00E6F9F2: _wcslen.LIBCMT ref: 00E6F9FD
                                                            • Part of subcall function 00EB2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EB2BFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                          • API String ID: 1103490817-4258414348
                                                          • Opcode ID: 957e93119a37fa9b088609ae9e328bf3df278e29eb0526757f51c5afe1d1f91d
                                                          • Instruction ID: fd007306b7d9b94aa06c5eea14a6d6a56b1528c19e914f07bfbc29e962e811d6
                                                          • Opcode Fuzzy Hash: 957e93119a37fa9b088609ae9e328bf3df278e29eb0526757f51c5afe1d1f91d
                                                          • Instruction Fuzzy Hash: F6E19F312083858FC714EF25C45096AB7E1BF98318F14A95DF89ABB362D771ED85CB81
                                                          Function 00EDC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                          • API String ID: 1256254125-909552448
                                                          • Opcode ID: a31b5bfe7a06716621e0d90500d2ef32dbee96ffda1d9a171fb450e88c16a26e
                                                          • Instruction ID: 1765fb3f8045303095c70b777621cf354ce7bffd1922d761f04ce34ad0404652
                                                          • Opcode Fuzzy Hash: a31b5bfe7a06716621e0d90500d2ef32dbee96ffda1d9a171fb450e88c16a26e
                                                          • Instruction Fuzzy Hash: 4B71D63261016B8BCB20DE68C9515FA73A1EBA07D8F352527F85AB7385E631CD86D390
                                                          Function 00EE833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00EE835A
                                                          • _wcslen.LIBCMT ref: 00EE836E
                                                          • _wcslen.LIBCMT ref: 00EE8391
                                                          • _wcslen.LIBCMT ref: 00EE83B4
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EE83F2
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EE5BF2), ref: 00EE844E
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EE8487
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EE84CA
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EE8501
                                                          • FreeLibrary.KERNEL32(?), ref: 00EE850D
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EE851D
                                                          • DestroyIcon.USER32(?,?,?,?,?,00EE5BF2), ref: 00EE852C
                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EE8549
                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EE8555
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                          • String ID: .dll$.exe$.icl
                                                          • API String ID: 799131459-1154884017
                                                          • Opcode ID: 24624d8760a5165acdc0c067bedbd3db72baace7e968d1ece753966a09de87cb
                                                          • Instruction ID: 95d8f9e668cdb2704cf49590b7f47b3756d281e2353f88ba16f068cce61c2af4
                                                          • Opcode Fuzzy Hash: 24624d8760a5165acdc0c067bedbd3db72baace7e968d1ece753966a09de87cb
                                                          • Instruction Fuzzy Hash: 7E61DE71500249BEEB14DF66CD81BBE77A8FB04B11F105509F929FA1D1EF74A984C7A0
                                                          Function 00E57778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 0-1645009161
                                                          • Opcode ID: 3dc2447929c8efdfb0a4d39418c0988084f4098907d7c1cc65f00ca11cf530f7
                                                          • Instruction ID: 885bee351ea2fc01bfc13e958bd3305535cff3d98f363db3f47b46f97f3365fb
                                                          • Opcode Fuzzy Hash: 3dc2447929c8efdfb0a4d39418c0988084f4098907d7c1cc65f00ca11cf530f7
                                                          • Instruction Fuzzy Hash: A281F571644615BBDB21AF61FC42FEE37A8AF14301F106825FC88BA192EB70DA25C791
                                                          Function 00EC3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?), ref: 00EC3EF8
                                                          • _wcslen.LIBCMT ref: 00EC3F03
                                                          • _wcslen.LIBCMT ref: 00EC3F5A
                                                          • _wcslen.LIBCMT ref: 00EC3F98
                                                          • GetDriveTypeW.KERNEL32(?), ref: 00EC3FD6
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EC401E
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EC4059
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EC4087
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                          • API String ID: 1839972693-4113822522
                                                          • Opcode ID: dd8e293d158f5dd3a6ba45a75b25eb6e02ccc66912b94384a2cce15a197f58fa
                                                          • Instruction ID: 74d1eafa26b4385f4fd02fc51a296cd5f7f3e04236cba23cf783ea01aa727ae2
                                                          • Opcode Fuzzy Hash: dd8e293d158f5dd3a6ba45a75b25eb6e02ccc66912b94384a2cce15a197f58fa
                                                          • Instruction Fuzzy Hash: CC71E0716042018FC310EF34C9919AAB7F4EF94758F109D2DF995A7291EB32DD4ACB92
                                                          Function 00EB5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000063), ref: 00EB5A2E
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EB5A40
                                                          • SetWindowTextW.USER32(?,?), ref: 00EB5A57
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00EB5A6C
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00EB5A72
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00EB5A82
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00EB5A88
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EB5AA9
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EB5AC3
                                                          • GetWindowRect.USER32(?,?), ref: 00EB5ACC
                                                          • _wcslen.LIBCMT ref: 00EB5B33
                                                          • SetWindowTextW.USER32(?,?), ref: 00EB5B6F
                                                          • GetDesktopWindow.USER32 ref: 00EB5B75
                                                          • GetWindowRect.USER32(00000000), ref: 00EB5B7C
                                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EB5BD3
                                                          • GetClientRect.USER32(?,?), ref: 00EB5BE0
                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00EB5C05
                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EB5C2F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                          • String ID:
                                                          • API String ID: 895679908-0
                                                          • Opcode ID: e98130810eb3d318d6d3ae5cde3be4d479dff58daad64f112dc157a3e2d1c294
                                                          • Instruction ID: fb2990e2cc2db2eee6887b534015db3a1012c7d188bd8233f5d75cdf08d19bf1
                                                          • Opcode Fuzzy Hash: e98130810eb3d318d6d3ae5cde3be4d479dff58daad64f112dc157a3e2d1c294
                                                          • Instruction Fuzzy Hash: F3717A32900B09AFDB20DFA9CE85BAFBBF5FF48704F105918E582B65A0D771A944CB50
                                                          Function 00ECFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00ECFE27
                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00ECFE32
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00ECFE3D
                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00ECFE48
                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00ECFE53
                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00ECFE5E
                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00ECFE69
                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00ECFE74
                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00ECFE7F
                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00ECFE8A
                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00ECFE95
                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00ECFEA0
                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00ECFEAB
                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00ECFEB6
                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00ECFEC1
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00ECFECC
                                                          • GetCursorInfo.USER32(?), ref: 00ECFEDC
                                                          • GetLastError.KERNEL32 ref: 00ECFF1E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                          • String ID:
                                                          • API String ID: 3215588206-0
                                                          • Opcode ID: cc4cf65b5659498ec9afd677674bdd551ddd469bbaf9d6be63b2dd3965e0f487
                                                          • Instruction ID: 6e318100f34f86858e15f120297d6e6f5892d8bbf7010873e05d31d076c4037a
                                                          • Opcode Fuzzy Hash: cc4cf65b5659498ec9afd677674bdd551ddd469bbaf9d6be63b2dd3965e0f487
                                                          • Instruction Fuzzy Hash: 394183B0E043596EDB109FBA8C85D5EBFE9FF04314B50452AF118EB281DB789802CE90
                                                          Function 00E700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E700C6
                                                            • Part of subcall function 00E700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F2070C,00000FA0,9FC1D6AA,?,?,?,?,00E923B3,000000FF), ref: 00E7011C
                                                            • Part of subcall function 00E700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E923B3,000000FF), ref: 00E70127
                                                            • Part of subcall function 00E700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E923B3,000000FF), ref: 00E70138
                                                            • Part of subcall function 00E700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E7014E
                                                            • Part of subcall function 00E700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E7015C
                                                            • Part of subcall function 00E700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E7016A
                                                            • Part of subcall function 00E700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E70195
                                                            • Part of subcall function 00E700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E701A0
                                                          • ___scrt_fastfail.LIBCMT ref: 00E700E7
                                                            • Part of subcall function 00E700A3: __onexit.LIBCMT ref: 00E700A9
                                                          Strings
                                                          • SleepConditionVariableCS, xrefs: 00E70154
                                                          • InitializeConditionVariable, xrefs: 00E70148
                                                          • WakeAllConditionVariable, xrefs: 00E70162
                                                          • kernel32.dll, xrefs: 00E70133
                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E70122
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                          • API String ID: 66158676-1714406822
                                                          • Opcode ID: 599c620919ae9cfc6ee93dac478fe0795007e97bc56e957c7130ebc0b7e3a243
                                                          • Instruction ID: f3fc4ae2f661c979a2488eb6ad0000e3d1320b4b278934be11476310b1f10713
                                                          • Opcode Fuzzy Hash: 599c620919ae9cfc6ee93dac478fe0795007e97bc56e957c7130ebc0b7e3a243
                                                          • Instruction Fuzzy Hash: B1212932A42759EFE7209B65BC45B6A37E4DB04B65F10A139F805F7291DF6098008A91
                                                          Function 00EB30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                          • API String ID: 176396367-1603158881
                                                          • Opcode ID: ef1b7876aa4095a3f03f95f48881299fac24458475369506a7c902bd1a7dd6fe
                                                          • Instruction ID: 30b990990d221534038b492b310a7f56977cb7046c18532977a3d24dfa4ceb7b
                                                          • Opcode Fuzzy Hash: ef1b7876aa4095a3f03f95f48881299fac24458475369506a7c902bd1a7dd6fe
                                                          • Instruction Fuzzy Hash: 2BE1F831A00516EBCB28DFB8C4526EFF7B4BF44714F54A219E466B7250DB309E899790
                                                          Function 00EC44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(00000000,00000000,00EECC08), ref: 00EC4527
                                                          • _wcslen.LIBCMT ref: 00EC453B
                                                          • _wcslen.LIBCMT ref: 00EC4599
                                                          • _wcslen.LIBCMT ref: 00EC45F4
                                                          • _wcslen.LIBCMT ref: 00EC463F
                                                          • _wcslen.LIBCMT ref: 00EC46A7
                                                            • Part of subcall function 00E6F9F2: _wcslen.LIBCMT ref: 00E6F9FD
                                                          • GetDriveTypeW.KERNEL32(?,00F16BF0,00000061), ref: 00EC4743
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                          • API String ID: 2055661098-1000479233
                                                          • Opcode ID: f3cfff6db8f7ae0a2d039f25965d413d04d906e2029028a01730ce3bc9e2dea1
                                                          • Instruction ID: 1574e8c26270f20ec229e60ee957ce0403b654d6b176ed642069c3d501547035
                                                          • Opcode Fuzzy Hash: f3cfff6db8f7ae0a2d039f25965d413d04d906e2029028a01730ce3bc9e2dea1
                                                          • Instruction Fuzzy Hash: DEB122B16083029FC310DF28C9A0EAAB7E4AFA5728F50691DF496E72D5D731D846CB52
                                                          Function 00ED3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00EECC08), ref: 00ED40BB
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00ED40CD
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00EECC08), ref: 00ED40F2
                                                          • FreeLibrary.KERNEL32(00000000,?,00EECC08), ref: 00ED413E
                                                          • StringFromGUID2.OLE32(?,?,00000028,?,00EECC08), ref: 00ED41A8
                                                          • SysFreeString.OLEAUT32(00000009), ref: 00ED4262
                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00ED42C8
                                                          • SysFreeString.OLEAUT32(?), ref: 00ED42F2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                          • API String ID: 354098117-199464113
                                                          • Opcode ID: 1185881d275300a54ea04ba267804b9d2ae9e12bdca738820c714876ddb2e576
                                                          • Instruction ID: 339f4c2009bb197da7d9c92d34a3998bb88ece57b881437289d70d0f5fef06a5
                                                          • Opcode Fuzzy Hash: 1185881d275300a54ea04ba267804b9d2ae9e12bdca738820c714876ddb2e576
                                                          • Instruction Fuzzy Hash: 17124CB1A00109EFDB14DF94C884EAEB7B5FF55318F249099F915AB291C731ED86CBA0
                                                          Function 00E5326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemCount.USER32(00F21990), ref: 00E92F8D
                                                          • GetMenuItemCount.USER32(00F21990), ref: 00E9303D
                                                          • GetCursorPos.USER32(?), ref: 00E93081
                                                          • SetForegroundWindow.USER32(00000000), ref: 00E9308A
                                                          • TrackPopupMenuEx.USER32(00F21990,00000000,?,00000000,00000000,00000000), ref: 00E9309D
                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E930A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                          • String ID: 0
                                                          • API String ID: 36266755-4108050209
                                                          • Opcode ID: 02df5163c957cee912005d2344b1c9d515e3273f903e04f0e5d5244d0d30a886
                                                          • Instruction ID: bc3d6db996d43e65f3997186425a370115ea15f452b6100ac802b7d122d95afe
                                                          • Opcode Fuzzy Hash: 02df5163c957cee912005d2344b1c9d515e3273f903e04f0e5d5244d0d30a886
                                                          • Instruction Fuzzy Hash: 0D71EB70640249BEEF218F75CC89FAABF64FF05368F20521AFA157A1E0C7B1A914DB50
                                                          Function 00EE6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,?), ref: 00EE6DEB
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EE6E5F
                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EE6E81
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EE6E94
                                                          • DestroyWindow.USER32(?), ref: 00EE6EB5
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E50000,00000000), ref: 00EE6EE4
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EE6EFD
                                                          • GetDesktopWindow.USER32 ref: 00EE6F16
                                                          • GetWindowRect.USER32(00000000), ref: 00EE6F1D
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EE6F35
                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EE6F4D
                                                            • Part of subcall function 00E69944: GetWindowLongW.USER32(?,000000EB), ref: 00E69952
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                          • String ID: 0$tooltips_class32
                                                          • API String ID: 2429346358-3619404913
                                                          • Opcode ID: 9e734c49676277487cc43d1a364a8c72e858430f48802d5a925321d9c9549d4b
                                                          • Instruction ID: 50cb9bb394f968497aac517deb891dc2d8c738e135058e4a0943780a727ce89f
                                                          • Opcode Fuzzy Hash: 9e734c49676277487cc43d1a364a8c72e858430f48802d5a925321d9c9549d4b
                                                          • Instruction Fuzzy Hash: C7718C70104389AFDB20CF19D844AAABBF9FB99748F14141DF989A7261C770ED4ADB12
                                                          Function 00EE911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • DragQueryPoint.SHELL32(?,?), ref: 00EE9147
                                                            • Part of subcall function 00EE7674: ClientToScreen.USER32(?,?), ref: 00EE769A
                                                            • Part of subcall function 00EE7674: GetWindowRect.USER32(?,?), ref: 00EE7710
                                                            • Part of subcall function 00EE7674: PtInRect.USER32(?,?,00EE8B89), ref: 00EE7720
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00EE91B0
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EE91BB
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EE91DE
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EE9225
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00EE923E
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00EE9255
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00EE9277
                                                          • DragFinish.SHELL32(?), ref: 00EE927E
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EE9371
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                          • API String ID: 221274066-3440237614
                                                          • Opcode ID: 59596ad9753fe26706a30bb611bfa5a80eebe14b89dc006ef3be600fa1de2147
                                                          • Instruction ID: aee838239df62bd3f1978e4ba6a8ccdfd61e6da1fd9b45bec0d48acd6102e507
                                                          • Opcode Fuzzy Hash: 59596ad9753fe26706a30bb611bfa5a80eebe14b89dc006ef3be600fa1de2147
                                                          • Instruction Fuzzy Hash: DC618A71108345AFC701EF61DC85DAFBBE8FF88750F10192DF995A61A2DB309A49CB52
                                                          Function 00ECC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ECC4B0
                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ECC4C3
                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ECC4D7
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00ECC4F0
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00ECC533
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00ECC549
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ECC554
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ECC584
                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00ECC5DC
                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00ECC5F0
                                                          • InternetCloseHandle.WININET(00000000), ref: 00ECC5FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                          • String ID:
                                                          • API String ID: 3800310941-3916222277
                                                          • Opcode ID: 48238918ebad6d20ddadfa01c21c62bdda5d24bb35d62a95870215d40359c5eb
                                                          • Instruction ID: 135345eeb7d052912b0a2376b070f6e5f23ca6e0e2536df65fca21d5e3d4176a
                                                          • Opcode Fuzzy Hash: 48238918ebad6d20ddadfa01c21c62bdda5d24bb35d62a95870215d40359c5eb
                                                          • Instruction Fuzzy Hash: 64515FB1500648BFDB218F65CA88FAB7BFCFF08748F20541EF959A6150D731E94A9B60
                                                          Function 00EE856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00EE8592
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EE85A2
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EE85AD
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EE85BA
                                                          • GlobalLock.KERNEL32(00000000), ref: 00EE85C8
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EE85D7
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00EE85E0
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EE85E7
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EE85F8
                                                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00EEFC38,?), ref: 00EE8611
                                                          • GlobalFree.KERNEL32(00000000), ref: 00EE8621
                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00EE8641
                                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00EE8671
                                                          • DeleteObject.GDI32(?), ref: 00EE8699
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EE86AF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 3840717409-0
                                                          • Opcode ID: de9dc9591f5547eced2fdbf37129086e838418542393746f165bc4bb0d6fa4ec
                                                          • Instruction ID: cd81f64b3f4d74d719f811cada26bf7cbcead8ab3722803348f94e5b9c77bf4a
                                                          • Opcode Fuzzy Hash: de9dc9591f5547eced2fdbf37129086e838418542393746f165bc4bb0d6fa4ec
                                                          • Instruction Fuzzy Hash: 8D412C75600249AFDB11DFA6DD88EAA7BB8EF89715F204058F919FB260DB309905CB20
                                                          Function 00EC14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000000), ref: 00EC1502
                                                          • VariantCopy.OLEAUT32(?,?), ref: 00EC150B
                                                          • VariantClear.OLEAUT32(?), ref: 00EC1517
                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EC15FB
                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00EC1657
                                                          • VariantInit.OLEAUT32(?), ref: 00EC1708
                                                          • SysFreeString.OLEAUT32(?), ref: 00EC178C
                                                          • VariantClear.OLEAUT32(?), ref: 00EC17D8
                                                          • VariantClear.OLEAUT32(?), ref: 00EC17E7
                                                          • VariantInit.OLEAUT32(00000000), ref: 00EC1823
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                          • API String ID: 1234038744-3931177956
                                                          • Opcode ID: 3d14121091897bb7aa91112638c9573af95705ed7475bae28f42840cf026c1d7
                                                          • Instruction ID: 70b4c8ed47d4d252382183757f5085d7b381aba4ee3c7a265107efad51d382a5
                                                          • Opcode Fuzzy Hash: 3d14121091897bb7aa91112638c9573af95705ed7475bae28f42840cf026c1d7
                                                          • Instruction Fuzzy Hash: 92D1F131A00204DBCB009F65E985FA9B7F1BF46700F64909AF806BB282DB32EC46DB51
                                                          Function 00EDB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDB6AE,?,?), ref: 00EDC9B5
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDC9F1
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA68
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EDB6F4
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EDB772
                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00EDB80A
                                                          • RegCloseKey.ADVAPI32(?), ref: 00EDB87E
                                                          • RegCloseKey.ADVAPI32(?), ref: 00EDB89C
                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EDB8F2
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EDB904
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EDB922
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00EDB983
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EDB994
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 146587525-4033151799
                                                          • Opcode ID: 03e80376f95acbdbe2216e128f3f66e42eeaa9208ed95a3a3f1875a06141b0a7
                                                          • Instruction ID: 97dd4c1e7a5def9af9a68ab8875519f05d85729c11a2f7f3e7707b9b95582e67
                                                          • Opcode Fuzzy Hash: 03e80376f95acbdbe2216e128f3f66e42eeaa9208ed95a3a3f1875a06141b0a7
                                                          • Instruction Fuzzy Hash: DAC19C34204241EFD714DF14C494F2ABBE1EF84318F25A95DF49A6B3A2DB31E84ACB91
                                                          Function 00ED255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 00ED25D8
                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00ED25E8
                                                          • CreateCompatibleDC.GDI32(?), ref: 00ED25F4
                                                          • SelectObject.GDI32(00000000,?), ref: 00ED2601
                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00ED266D
                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00ED26AC
                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00ED26D0
                                                          • SelectObject.GDI32(?,?), ref: 00ED26D8
                                                          • DeleteObject.GDI32(?), ref: 00ED26E1
                                                          • DeleteDC.GDI32(?), ref: 00ED26E8
                                                          • ReleaseDC.USER32(00000000,?), ref: 00ED26F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                          • String ID: (
                                                          • API String ID: 2598888154-3887548279
                                                          • Opcode ID: 1ca04e1fbd94c777dfbcba9cd46419fa13a1b3cbbfbe3ff49110fdbfda26961b
                                                          • Instruction ID: 98e661e421d8f1d7f806d81a85367cbe64c8e2fcd3b9db099bd170729c489dc4
                                                          • Opcode Fuzzy Hash: 1ca04e1fbd94c777dfbcba9cd46419fa13a1b3cbbfbe3ff49110fdbfda26961b
                                                          • Instruction Fuzzy Hash: 8961C275D00219EFCB14CFA4D884AAEBBF5FF58310F20852AEA55B7350D770A9528F90
                                                          Function 00E8DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 00E8DAA1
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D659
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D66B
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D67D
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D68F
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D6A1
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D6B3
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D6C5
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D6D7
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D6E9
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D6FB
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D70D
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D71F
                                                            • Part of subcall function 00E8D63C: _free.LIBCMT ref: 00E8D731
                                                          • _free.LIBCMT ref: 00E8DA96
                                                            • Part of subcall function 00E829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000), ref: 00E829DE
                                                            • Part of subcall function 00E829C8: GetLastError.KERNEL32(00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000,00000000), ref: 00E829F0
                                                          • _free.LIBCMT ref: 00E8DAB8
                                                          • _free.LIBCMT ref: 00E8DACD
                                                          • _free.LIBCMT ref: 00E8DAD8
                                                          • _free.LIBCMT ref: 00E8DAFA
                                                          • _free.LIBCMT ref: 00E8DB0D
                                                          • _free.LIBCMT ref: 00E8DB1B
                                                          • _free.LIBCMT ref: 00E8DB26
                                                          • _free.LIBCMT ref: 00E8DB5E
                                                          • _free.LIBCMT ref: 00E8DB65
                                                          • _free.LIBCMT ref: 00E8DB82
                                                          • _free.LIBCMT ref: 00E8DB9A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 73a061b0872f049555148ba1f9d2daa6ae1e5b72c95af8dacd88537fd67e5703
                                                          • Instruction ID: 2c1a858b3cf113630764c185195f7932a942b2e992f4d6d80ef9129c8e4d1f11
                                                          • Opcode Fuzzy Hash: 73a061b0872f049555148ba1f9d2daa6ae1e5b72c95af8dacd88537fd67e5703
                                                          • Instruction Fuzzy Hash: EB315A316486049FEB26BA39EC45B5A77E9FF40324F226459E54CF71D1DE35EC808720
                                                          Function 00EB365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00EB369C
                                                          • _wcslen.LIBCMT ref: 00EB36A7
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EB3797
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00EB380C
                                                          • GetDlgCtrlID.USER32(?), ref: 00EB385D
                                                          • GetWindowRect.USER32(?,?), ref: 00EB3882
                                                          • GetParent.USER32(?), ref: 00EB38A0
                                                          • ScreenToClient.USER32(00000000), ref: 00EB38A7
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00EB3921
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00EB395D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                          • String ID: %s%u
                                                          • API String ID: 4010501982-679674701
                                                          • Opcode ID: e3d21d277f50d98ce5405ac99e13b3d941439654071ec91ea322c07a32e8d72e
                                                          • Instruction ID: 3fba7b6a0e478a1f0852e2fe5fc9069c6d18998433e44653bf46d87131ebb8db
                                                          • Opcode Fuzzy Hash: e3d21d277f50d98ce5405ac99e13b3d941439654071ec91ea322c07a32e8d72e
                                                          • Instruction Fuzzy Hash: C691CF71204606AFD719DF34C886BEBB7E8FF44344F109629F999E2190DB30EA49CB91
                                                          Function 00EB4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00EB4994
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00EB49DA
                                                          • _wcslen.LIBCMT ref: 00EB49EB
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00EB49F7
                                                          • _wcsstr.LIBVCRUNTIME ref: 00EB4A2C
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00EB4A64
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00EB4A9D
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00EB4AE6
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00EB4B20
                                                          • GetWindowRect.USER32(?,?), ref: 00EB4B8B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                          • String ID: ThumbnailClass
                                                          • API String ID: 1311036022-1241985126
                                                          • Opcode ID: f89afc729b33aa59e8aa88c5ffb44c63bdcaa501f9bf9ff5cd6e7b5300939ab6
                                                          • Instruction ID: 57e88dbf0f9480f46569529e5e051e8bb9b66c170efc5bc8dd82b882edeadb93
                                                          • Opcode Fuzzy Hash: f89afc729b33aa59e8aa88c5ffb44c63bdcaa501f9bf9ff5cd6e7b5300939ab6
                                                          • Instruction Fuzzy Hash: 2B9191B10042069FDB05DF14C985BEB77E8EF84718F04A469FE85AA197EB30ED45CBA1
                                                          Function 00EE8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EE8D5A
                                                          • GetFocus.USER32 ref: 00EE8D6A
                                                          • GetDlgCtrlID.USER32(00000000), ref: 00EE8D75
                                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00EE8E1D
                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EE8ECF
                                                          • GetMenuItemCount.USER32(?), ref: 00EE8EEC
                                                          • GetMenuItemID.USER32(?,00000000), ref: 00EE8EFC
                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EE8F2E
                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EE8F70
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EE8FA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                          • String ID: 0
                                                          • API String ID: 1026556194-4108050209
                                                          • Opcode ID: 962bf5dae243c4ffeae746aedbd866e37e91650ca6cbe2bb2047d875c14eb903
                                                          • Instruction ID: 8d828af274f82e4290ed204c23a1e4d08a20a8a0420d7b979574247dfc9ecf9a
                                                          • Opcode Fuzzy Hash: 962bf5dae243c4ffeae746aedbd866e37e91650ca6cbe2bb2047d875c14eb903
                                                          • Instruction Fuzzy Hash: AB81E2716043899FD710CF16DD84AAB7BE9FB88318F14191DF988B72A1DB30D905CB62
                                                          Function 00EBDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EBDC20
                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EBDC46
                                                          • _wcslen.LIBCMT ref: 00EBDC50
                                                          • _wcsstr.LIBVCRUNTIME ref: 00EBDCA0
                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EBDCBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                          • API String ID: 1939486746-1459072770
                                                          • Opcode ID: 806fd924f128cfbd611ce3719dc0f168f7f38aa236da78245fa036f8ff4b7c35
                                                          • Instruction ID: 4f21421a12899463a58e4cb510f3670e5d6aaf07fa36f516d337c3c2609ebed7
                                                          • Opcode Fuzzy Hash: 806fd924f128cfbd611ce3719dc0f168f7f38aa236da78245fa036f8ff4b7c35
                                                          • Instruction Fuzzy Hash: 4C4122329442057ADB00A775AC47EFF7BACEF41760F10616AF904F6183FB71990296A5
                                                          Function 00EDCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EDCC64
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EDCC8D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EDCD48
                                                            • Part of subcall function 00EDCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EDCCAA
                                                            • Part of subcall function 00EDCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EDCCBD
                                                            • Part of subcall function 00EDCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EDCCCF
                                                            • Part of subcall function 00EDCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EDCD05
                                                            • Part of subcall function 00EDCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EDCD28
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EDCCF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 2734957052-4033151799
                                                          • Opcode ID: c5d1a2dd17fb317e7f809359c64cb22e49a81bf950f6bef9c653b1de6acb0047
                                                          • Instruction ID: 326cab36a76e0922163b5cde1b842f96498120c478246235938ea07cb1b4fe5f
                                                          • Opcode Fuzzy Hash: c5d1a2dd17fb317e7f809359c64cb22e49a81bf950f6bef9c653b1de6acb0047
                                                          • Instruction Fuzzy Hash: 7E31807190122DBFDB209B51DC88EFFBB7CEF05794F200166F905F6240D6309A4ADAA1
                                                          Function 00EC3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EC3D40
                                                          • _wcslen.LIBCMT ref: 00EC3D6D
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EC3D9D
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EC3DBE
                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00EC3DCE
                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EC3E55
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EC3E60
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EC3E6B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                          • String ID: :$\$\??\%s
                                                          • API String ID: 1149970189-3457252023
                                                          • Opcode ID: 2b9724ac1051b4995a321a35becd07a4290ed504c0eb02e70d1a4158760c8555
                                                          • Instruction ID: 1ec0442e331f0d1e65a58159320869249d859470a94291de6a04f2805c29640f
                                                          • Opcode Fuzzy Hash: 2b9724ac1051b4995a321a35becd07a4290ed504c0eb02e70d1a4158760c8555
                                                          • Instruction Fuzzy Hash: B631A571900249ABDB209BA1DC89FEF3BBDEF88705F1091A9F609E6160E77197458B24
                                                          Function 00EBE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeGetTime.WINMM ref: 00EBE6B4
                                                            • Part of subcall function 00E6E551: timeGetTime.WINMM(?,?,00EBE6D4), ref: 00E6E555
                                                          • Sleep.KERNEL32(0000000A), ref: 00EBE6E1
                                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EBE705
                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EBE727
                                                          • SetActiveWindow.USER32 ref: 00EBE746
                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EBE754
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EBE773
                                                          • Sleep.KERNEL32(000000FA), ref: 00EBE77E
                                                          • IsWindow.USER32 ref: 00EBE78A
                                                          • EndDialog.USER32(00000000), ref: 00EBE79B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                          • String ID: BUTTON
                                                          • API String ID: 1194449130-3405671355
                                                          • Opcode ID: b76f9bdf5214951f1790ac98067c59f553f0be08c48f9b07f8967fd980808d94
                                                          • Instruction ID: 08e6c14f74861cace9fd84c74d303c060698fb71b112647c650143138a1d0b26
                                                          • Opcode Fuzzy Hash: b76f9bdf5214951f1790ac98067c59f553f0be08c48f9b07f8967fd980808d94
                                                          • Instruction Fuzzy Hash: C921C67120024DBFEB205F71ECC9AA73F69FB54748F202425F905B53A1DF71AC0AAA55
                                                          Function 00EBE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EBEA5D
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EBEA73
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EBEA84
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EBEA96
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EBEAA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: SendString$_wcslen
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2420728520-1007645807
                                                          • Opcode ID: be1fc09ce417fe667392a454538fc35c635ef46d36dade58133be609b09f0233
                                                          • Instruction ID: efc3c5238ffa379831ef9710a91be76074e1aee9ae0c16957d8993a74a913181
                                                          • Opcode Fuzzy Hash: be1fc09ce417fe667392a454538fc35c635ef46d36dade58133be609b09f0233
                                                          • Instruction Fuzzy Hash: 96117331A502597AD720A7A1DC4ADFF6ABCEFD1B44F402829B811F20D1EE705989C5B1
                                                          Function 00EB9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00EBA012
                                                          • SetKeyboardState.USER32(?), ref: 00EBA07D
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00EBA09D
                                                          • GetKeyState.USER32(000000A0), ref: 00EBA0B4
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00EBA0E3
                                                          • GetKeyState.USER32(000000A1), ref: 00EBA0F4
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00EBA120
                                                          • GetKeyState.USER32(00000011), ref: 00EBA12E
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00EBA157
                                                          • GetKeyState.USER32(00000012), ref: 00EBA165
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00EBA18E
                                                          • GetKeyState.USER32(0000005B), ref: 00EBA19C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 10a3215a07a6d878ad0440ad816e09c936b42091dbdc3fc971b5966573d95a2b
                                                          • Instruction ID: 55b3ceb6fbc202bf1e95c7014a5f2c046489cc109d1b058db572e8af2a2723a4
                                                          • Opcode Fuzzy Hash: 10a3215a07a6d878ad0440ad816e09c936b42091dbdc3fc971b5966573d95a2b
                                                          • Instruction Fuzzy Hash: CC51E560A0478829FF35EB6488517FBAFF49F12384F0C95A9D5C27B1C3DA54AA4CC762
                                                          Function 00EB5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000001), ref: 00EB5CE2
                                                          • GetWindowRect.USER32(00000000,?), ref: 00EB5CFB
                                                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EB5D59
                                                          • GetDlgItem.USER32(?,00000002), ref: 00EB5D69
                                                          • GetWindowRect.USER32(00000000,?), ref: 00EB5D7B
                                                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EB5DCF
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00EB5DDD
                                                          • GetWindowRect.USER32(00000000,?), ref: 00EB5DEF
                                                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EB5E31
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00EB5E44
                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EB5E5A
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00EB5E67
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                          • String ID:
                                                          • API String ID: 3096461208-0
                                                          • Opcode ID: 4c81ae218f382a0db7c0297ed3a6fe497b57495547e5cb25be5016288f51b684
                                                          • Instruction ID: 8a1d1bbf4bb135c4c54603256cbbd191f278efd3bb2a257869efbf07d9db4ee1
                                                          • Opcode Fuzzy Hash: 4c81ae218f382a0db7c0297ed3a6fe497b57495547e5cb25be5016288f51b684
                                                          • Instruction Fuzzy Hash: 36512F71A00609AFDF18CF69DD89AAF7BB5FB48700F249229F915F6290D7709E05CB50
                                                          Function 00E68BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E68F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E68BE8,?,00000000,?,?,?,?,00E68BBA,00000000,?), ref: 00E68FC5
                                                          • DestroyWindow.USER32(?), ref: 00E68C81
                                                          • KillTimer.USER32(00000000,?,?,?,?,00E68BBA,00000000,?), ref: 00E68D1B
                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00EA6973
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E68BBA,00000000,?), ref: 00EA69A1
                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E68BBA,00000000,?), ref: 00EA69B8
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E68BBA,00000000), ref: 00EA69D4
                                                          • DeleteObject.GDI32(00000000), ref: 00EA69E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID:
                                                          • API String ID: 641708696-0
                                                          • Opcode ID: 24d45e954c54fdd81f720ca19d0c2769a60069e0fd8017d8c18c34cc1789ddd0
                                                          • Instruction ID: 20d4288018f8d0f6b9ee2be0f290709060426382302af6b5a81fe1883341df06
                                                          • Opcode Fuzzy Hash: 24d45e954c54fdd81f720ca19d0c2769a60069e0fd8017d8c18c34cc1789ddd0
                                                          • Instruction Fuzzy Hash: 3A61ED30101708CFDB318F24EA58B26B7F1FB5635AF146619E042BA560CB31ACD6DF56
                                                          Function 00E69838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69944: GetWindowLongW.USER32(?,000000EB), ref: 00E69952
                                                          • GetSysColor.USER32(0000000F), ref: 00E69862
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: 43fc04086073e82e3da3e303665afca9ff00bf5a1c609991acea1d674f756a7e
                                                          • Instruction ID: c1f49dae884290f45edc1c3a6b68a97763973f22be958025e3b4aa977e9b0453
                                                          • Opcode Fuzzy Hash: 43fc04086073e82e3da3e303665afca9ff00bf5a1c609991acea1d674f756a7e
                                                          • Instruction Fuzzy Hash: 4441D4311406449FDB249F39AC84BB93BA9FB463B4F245609F9B2AB1E2C7309C46DB10
                                                          Function 00E88D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-3963672497
                                                          • Opcode ID: 9ac03909dcf56818a5982b84195fc62960b7df68b42be8c405d45a171bd272ad
                                                          • Instruction ID: a091f4d2d7aefc169949543678555f37adb21bbecbc87324b36fa9d6ea4bd092
                                                          • Opcode Fuzzy Hash: 9ac03909dcf56818a5982b84195fc62960b7df68b42be8c405d45a171bd272ad
                                                          • Instruction Fuzzy Hash: 88C1C175E04249AFDB21EFA8C941BADBBF0AF49314F185199F91CB7293CB309941CB61
                                                          Function 00EB96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00E9F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EB9717
                                                          • LoadStringW.USER32(00000000,?,00E9F7F8,00000001), ref: 00EB9720
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E9F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EB9742
                                                          • LoadStringW.USER32(00000000,?,00E9F7F8,00000001), ref: 00EB9745
                                                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EB9866
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 747408836-2268648507
                                                          • Opcode ID: 4da780e3728a1c7b3c1aa67174f8735d477439c86e89dd182bd044a6a9615d81
                                                          • Instruction ID: 83145753e48037bcee8b04ca372790a55e985c2cf34a29e0318e2508c52b4c2d
                                                          • Opcode Fuzzy Hash: 4da780e3728a1c7b3c1aa67174f8735d477439c86e89dd182bd044a6a9615d81
                                                          • Instruction Fuzzy Hash: A1414F7280021DAACF04EBE0DD86DEEB7B9AF54341F601865FA0572092EB356F4DCB61
                                                          Function 00EB06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EB07A2
                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EB07BE
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EB07DA
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EB0804
                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EB082C
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EB0837
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EB083C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 323675364-22481851
                                                          • Opcode ID: 8dfcb0db562327427d8f64604c436c7d3da7f54ca83e9d3b4d7d1edadaa20ab0
                                                          • Instruction ID: 3a911eae925276c64fa331e1ad53c021f1c5ca15bd2b99d46c97499618da7949
                                                          • Opcode Fuzzy Hash: 8dfcb0db562327427d8f64604c436c7d3da7f54ca83e9d3b4d7d1edadaa20ab0
                                                          • Instruction Fuzzy Hash: C7411572C1022DAFCF15EBA4DC958EEB7B8BF44350B545529F911B7161EB30AE08CBA0
                                                          Function 00EE3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EE403B
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00EE4042
                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EE4055
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00EE405D
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EE4068
                                                          • DeleteDC.GDI32(00000000), ref: 00EE4072
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00EE407C
                                                          • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00EE4092
                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00EE409E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                          • String ID: static
                                                          • API String ID: 2559357485-2160076837
                                                          • Opcode ID: e1e007042b6f7ca8229cf0b192e123df8470279cb68131f28d07dd170e4eb6c7
                                                          • Instruction ID: 4b4557180506e84815e85400e4e990a6997be29c3e4c7dac0a16df2fa4811811
                                                          • Opcode Fuzzy Hash: e1e007042b6f7ca8229cf0b192e123df8470279cb68131f28d07dd170e4eb6c7
                                                          • Instruction Fuzzy Hash: 8A318B72101299AFDF229FA6CC49FDA3BA9FF0D324F101220FA18B61A0C731D815DB50
                                                          Function 00ED3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00ED3C5C
                                                          • CoInitialize.OLE32(00000000), ref: 00ED3C8A
                                                          • CoUninitialize.OLE32 ref: 00ED3C94
                                                          • _wcslen.LIBCMT ref: 00ED3D2D
                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00ED3DB1
                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00ED3ED5
                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00ED3F0E
                                                          • CoGetObject.OLE32(?,00000000,00EEFB98,?), ref: 00ED3F2D
                                                          • SetErrorMode.KERNEL32(00000000), ref: 00ED3F40
                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00ED3FC4
                                                          • VariantClear.OLEAUT32(?), ref: 00ED3FD8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                          • String ID:
                                                          • API String ID: 429561992-0
                                                          • Opcode ID: 4e028b4c2a27473e0c3879bb6b352d57c9cc65077ff6afba1d7f10a1622c27bb
                                                          • Instruction ID: f9bdfd913dda1978bee97ca6afe968aeec869d53fcb8221960875fcb53f99b7d
                                                          • Opcode Fuzzy Hash: 4e028b4c2a27473e0c3879bb6b352d57c9cc65077ff6afba1d7f10a1622c27bb
                                                          • Instruction Fuzzy Hash: 6BC133716083059FC700DF68C88496BBBE9FF89748F10591EF88AAB251D731EE06CB52
                                                          Function 00EC7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 00EC7AF3
                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EC7B8F
                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00EC7BA3
                                                          • CoCreateInstance.OLE32(00EEFD08,00000000,00000001,00F16E6C,?), ref: 00EC7BEF
                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EC7C74
                                                          • CoTaskMemFree.OLE32(?,?), ref: 00EC7CCC
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00EC7D57
                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EC7D7A
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00EC7D81
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00EC7DD6
                                                          • CoUninitialize.OLE32 ref: 00EC7DDC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                          • String ID:
                                                          • API String ID: 2762341140-0
                                                          • Opcode ID: df62aa32c43451c3e238e03d435379ce5bef4111fbb29e150e858d8f32f4e269
                                                          • Instruction ID: 9a4ffd520504427b562cfc67d4c7395e18366ca99eba04b3da92d9c7c95d67e5
                                                          • Opcode Fuzzy Hash: df62aa32c43451c3e238e03d435379ce5bef4111fbb29e150e858d8f32f4e269
                                                          • Instruction Fuzzy Hash: D9C12A75A04109AFCB14DFA4C984DAEBBF9FF48304B149498F85AAB261D731ED46CF90
                                                          Function 00EE541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EE5504
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EE5515
                                                          • CharNextW.USER32(00000158), ref: 00EE5544
                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EE5585
                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EE559B
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EE55AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CharNext
                                                          • String ID:
                                                          • API String ID: 1350042424-0
                                                          • Opcode ID: a039307981a64f2da405b56e7728c23e737f40d024370178557b288dd4f7b450
                                                          • Instruction ID: eef8404662767b4fcab064e642bf055949e68a290417f5ceda099b90470b2d0e
                                                          • Opcode Fuzzy Hash: a039307981a64f2da405b56e7728c23e737f40d024370178557b288dd4f7b450
                                                          • Instruction Fuzzy Hash: E9619E3290068DEFDF208F96CC84AFE7BB9EB05728F105145F925BB291D7708A85DB61
                                                          Function 00EAFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EAFAAF
                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00EAFB08
                                                          • VariantInit.OLEAUT32(?), ref: 00EAFB1A
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00EAFB3A
                                                          • VariantCopy.OLEAUT32(?,?), ref: 00EAFB8D
                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00EAFBA1
                                                          • VariantClear.OLEAUT32(?), ref: 00EAFBB6
                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00EAFBC3
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EAFBCC
                                                          • VariantClear.OLEAUT32(?), ref: 00EAFBDE
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EAFBE9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                          • String ID:
                                                          • API String ID: 2706829360-0
                                                          • Opcode ID: 3ff0f67f010d04785c00bff459d951f92b5c95560439980fa6f06547d044716c
                                                          • Instruction ID: a97e5090afedb754c25f23f27dd2be8b1c7202dda5dcefd90c4fca3c9a4829d4
                                                          • Opcode Fuzzy Hash: 3ff0f67f010d04785c00bff459d951f92b5c95560439980fa6f06547d044716c
                                                          • Instruction Fuzzy Hash: FB415135A002199FCB04DFA5D8A4DEDBBB9FF09344F109069F955BB261C730A946CBA0
                                                          Function 00EB9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00EB9CA1
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00EB9D22
                                                          • GetKeyState.USER32(000000A0), ref: 00EB9D3D
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00EB9D57
                                                          • GetKeyState.USER32(000000A1), ref: 00EB9D6C
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00EB9D84
                                                          • GetKeyState.USER32(00000011), ref: 00EB9D96
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00EB9DAE
                                                          • GetKeyState.USER32(00000012), ref: 00EB9DC0
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00EB9DD8
                                                          • GetKeyState.USER32(0000005B), ref: 00EB9DEA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 5eaba42894610fdc58a83b808489fe9f6427c1ec61c24ade68936fa3d36795a6
                                                          • Instruction ID: d211a47ecd0037208e4229f9fb8d6fc3841091ed18de77db4b23c0b16c65ce31
                                                          • Opcode Fuzzy Hash: 5eaba42894610fdc58a83b808489fe9f6427c1ec61c24ade68936fa3d36795a6
                                                          • Instruction Fuzzy Hash: BB41A5345047CA6DFF31966188443E7FEE06F11348F48905ADBC67A5C3DBA5A9C8CBA2
                                                          Function 00ED055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00ED05BC
                                                          • inet_addr.WSOCK32(?), ref: 00ED061C
                                                          • gethostbyname.WSOCK32(?), ref: 00ED0628
                                                          • IcmpCreateFile.IPHLPAPI ref: 00ED0636
                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00ED06C6
                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00ED06E5
                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 00ED07B9
                                                          • WSACleanup.WSOCK32 ref: 00ED07BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                          • String ID: Ping
                                                          • API String ID: 1028309954-2246546115
                                                          • Opcode ID: e10f058bd48d1e6759bc2c7387944c8d0aade24226ea812bcab8551694b1adf9
                                                          • Instruction ID: 482a5b8d007c1ac83125c4442d7e08301e7aa2d95ace5af6112bf0af532d5387
                                                          • Opcode Fuzzy Hash: e10f058bd48d1e6759bc2c7387944c8d0aade24226ea812bcab8551694b1adf9
                                                          • Instruction Fuzzy Hash: F9916C356042419FD320DF25D488B1ABBE0EF44318F1895AAF869AF7A2C770ED46CF91
                                                          Function 00ED8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharLower
                                                          • String ID: cdecl$none$stdcall$winapi
                                                          • API String ID: 707087890-567219261
                                                          • Opcode ID: ce4ee0c847f277cccbdef4f8d977dae098d5bc53385b0f6ab1a253c3f1667a1a
                                                          • Instruction ID: 281f0e0933fc6d2b8cdc1927a7f37d1bf362499a8bb58e2d95255f73d9b275a1
                                                          • Opcode Fuzzy Hash: ce4ee0c847f277cccbdef4f8d977dae098d5bc53385b0f6ab1a253c3f1667a1a
                                                          • Instruction Fuzzy Hash: 2B519131A001169BCB14DF68CE509BEB7E6EF64714B20662AE826F73C5DB31DD42CB90
                                                          Function 00ED372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32 ref: 00ED3774
                                                          • CoUninitialize.OLE32 ref: 00ED377F
                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00EEFB78,?), ref: 00ED37D9
                                                          • IIDFromString.OLE32(?,?), ref: 00ED384C
                                                          • VariantInit.OLEAUT32(?), ref: 00ED38E4
                                                          • VariantClear.OLEAUT32(?), ref: 00ED3936
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                          • API String ID: 636576611-1287834457
                                                          • Opcode ID: 2e466d5afd68741bf730cfa211cf3e268078b0cfbae4ff65a4c724a0eab39452
                                                          • Instruction ID: 2882f6e7692affa68bc68ff4754608921f19a8fe72acbf61b437facccc5c7f07
                                                          • Opcode Fuzzy Hash: 2e466d5afd68741bf730cfa211cf3e268078b0cfbae4ff65a4c724a0eab39452
                                                          • Instruction Fuzzy Hash: CB61AE74608701AFD314DF64D889B9ABBE4EF48714F10180AF885AB391D770EE4ADB93
                                                          Function 00EC3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EC33CF
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EC33F0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LoadString$_wcslen
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 4099089115-3080491070
                                                          • Opcode ID: 3c88761040de2bafa0e752c6c9615de9ff94a5446223242a0891436adb74d189
                                                          • Instruction ID: 50d8b5a36d13c9171df064976eeb5214e83cd1dba54eea82bbf735e689296b06
                                                          • Opcode Fuzzy Hash: 3c88761040de2bafa0e752c6c9615de9ff94a5446223242a0891436adb74d189
                                                          • Instruction Fuzzy Hash: 0051B13290020DAADF14EBA0CE42EEEB3B9EF14341F205465F90573062EB356F59DB61
                                                          Function 00EBB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                          • API String ID: 1256254125-769500911
                                                          • Opcode ID: e3cd9241d2f3039d07ec0748c400258672b2d5f36332e2b19007839c15eb77e2
                                                          • Instruction ID: e68a6823209452de98713362724f903a7fc5eb5f63bf4580d49cab2aa7b9bf18
                                                          • Opcode Fuzzy Hash: e3cd9241d2f3039d07ec0748c400258672b2d5f36332e2b19007839c15eb77e2
                                                          • Instruction Fuzzy Hash: B441EB32A000279BCB205F7DCD905FF77A5AFA0758B24522AE565FB288EB71CD81C790
                                                          Function 00EC5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EC53A0
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EC5416
                                                          • GetLastError.KERNEL32 ref: 00EC5420
                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00EC54A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 07ca4a0f1ed5b79996f74e8560841383d150cc7baa00688da4feb756410c42e4
                                                          • Instruction ID: 9fb6785f58e794bb567522d38d781a4059672d3be9ebfb341d65f07e29cf789e
                                                          • Opcode Fuzzy Hash: 07ca4a0f1ed5b79996f74e8560841383d150cc7baa00688da4feb756410c42e4
                                                          • Instruction Fuzzy Hash: 4A318C36A005049FC714DF68C984FEABBB4FB44309F149459E812EB292DA32EDC7CB90
                                                          Function 00EE3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMenu.USER32 ref: 00EE3C79
                                                          • SetMenu.USER32(?,00000000), ref: 00EE3C88
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE3D10
                                                          • IsMenu.USER32(?), ref: 00EE3D24
                                                          • CreatePopupMenu.USER32 ref: 00EE3D2E
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EE3D5B
                                                          • DrawMenuBar.USER32 ref: 00EE3D63
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                          • String ID: 0$F
                                                          • API String ID: 161812096-3044882817
                                                          • Opcode ID: a65bfc3ff40028383901513191289f51220fc08deb061afbafd2ccc2f56ee28d
                                                          • Instruction ID: 3ae001ec1fd96fe9f0fe6be116ecb3b8a7a9d871d3abc277aa003f26665b9364
                                                          • Opcode Fuzzy Hash: a65bfc3ff40028383901513191289f51220fc08deb061afbafd2ccc2f56ee28d
                                                          • Instruction Fuzzy Hash: 8B418974A01249EFDB24CF66D888AEA7BB5FF49304F140028F906AB360D730AA15CF94
                                                          Function 00EB1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EB1F64
                                                          • GetDlgCtrlID.USER32 ref: 00EB1F6F
                                                          • GetParent.USER32 ref: 00EB1F8B
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EB1F8E
                                                          • GetDlgCtrlID.USER32(?), ref: 00EB1F97
                                                          • GetParent.USER32(?), ref: 00EB1FAB
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EB1FAE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 711023334-1403004172
                                                          • Opcode ID: c27a4148c2c2edaba02febfcebd4aa9c552e78eb91f5de899154f07a20eb1feb
                                                          • Instruction ID: 295cf29bfed9880ff09e768c9a89da8dc0e0d659bcfbe55889073eb8199715ed
                                                          • Opcode Fuzzy Hash: c27a4148c2c2edaba02febfcebd4aa9c552e78eb91f5de899154f07a20eb1feb
                                                          • Instruction Fuzzy Hash: C721B074A00218BFCF04AFA0CC959FFBBB9EF05310B601555B96177292CB355909DB61
                                                          Function 00EB1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EB2043
                                                          • GetDlgCtrlID.USER32 ref: 00EB204E
                                                          • GetParent.USER32 ref: 00EB206A
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EB206D
                                                          • GetDlgCtrlID.USER32(?), ref: 00EB2076
                                                          • GetParent.USER32(?), ref: 00EB208A
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EB208D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 711023334-1403004172
                                                          • Opcode ID: 4b1f696e9ec40ca15a479ecc51735b9a5290649d263f355f28263995f3f29d1e
                                                          • Instruction ID: 19663b0f34950190feec2ff2a3f7566a97b8f59a096c6d28464b749f3d816fd8
                                                          • Opcode Fuzzy Hash: 4b1f696e9ec40ca15a479ecc51735b9a5290649d263f355f28263995f3f29d1e
                                                          • Instruction Fuzzy Hash: 0A21D175900218BFCF14AFA4CC85EEFBBB8EF09300F205409B951B71A2CA798919DB61
                                                          Function 00EE3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EE3A9D
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EE3AA0
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE3AC7
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EE3AEA
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EE3B62
                                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00EE3BAC
                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00EE3BC7
                                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00EE3BE2
                                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00EE3BF6
                                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00EE3C13
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow
                                                          • String ID:
                                                          • API String ID: 312131281-0
                                                          • Opcode ID: af5d20336b912cc1e2fb3b54a7ecc2e5932519e661b7972b7de69157c1eb7038
                                                          • Instruction ID: c71837ff49c45bf3adc9e9b55c5e02f474b27f84abc9083d4d48420973fd01e1
                                                          • Opcode Fuzzy Hash: af5d20336b912cc1e2fb3b54a7ecc2e5932519e661b7972b7de69157c1eb7038
                                                          • Instruction Fuzzy Hash: 43616C75900248AFDB20DF68CC85EEE77F8EB09704F104199FA15B72A1D770AE85DB60
                                                          Function 00EBB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 00EBB151
                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB165
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00EBB16C
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB17B
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EBB18D
                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB1A6
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB1B8
                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB1FD
                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB212
                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00EBA1E1,?,00000001), ref: 00EBB21D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                          • String ID:
                                                          • API String ID: 2156557900-0
                                                          • Opcode ID: cc0ebf2b40bb9391a3741b38af94104e83e5cf37ac8839201535bad330f6af60
                                                          • Instruction ID: 719e98322c4b6289dec94da088558a54c722c58a2d8a44c54ed3392172f6447d
                                                          • Opcode Fuzzy Hash: cc0ebf2b40bb9391a3741b38af94104e83e5cf37ac8839201535bad330f6af60
                                                          • Instruction Fuzzy Hash: 183181B1600208BFDB20DF25DC84FAF7BA9BB51719F205015F911EA1A0D7B89D468F70
                                                          Function 00E82C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00E82C94
                                                            • Part of subcall function 00E829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000), ref: 00E829DE
                                                            • Part of subcall function 00E829C8: GetLastError.KERNEL32(00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000,00000000), ref: 00E829F0
                                                          • _free.LIBCMT ref: 00E82CA0
                                                          • _free.LIBCMT ref: 00E82CAB
                                                          • _free.LIBCMT ref: 00E82CB6
                                                          • _free.LIBCMT ref: 00E82CC1
                                                          • _free.LIBCMT ref: 00E82CCC
                                                          • _free.LIBCMT ref: 00E82CD7
                                                          • _free.LIBCMT ref: 00E82CE2
                                                          • _free.LIBCMT ref: 00E82CED
                                                          • _free.LIBCMT ref: 00E82CFB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: dc4bc405b0b70e346320061c7093c108f1531200b302fe9d3c16abacd2d2b3a6
                                                          • Instruction ID: f1ef401910651190eee63d9ad82f5402ffa4d26e8e755c267ca27439dcb7693b
                                                          • Opcode Fuzzy Hash: dc4bc405b0b70e346320061c7093c108f1531200b302fe9d3c16abacd2d2b3a6
                                                          • Instruction Fuzzy Hash: 6611A476500108AFCB02FF54D982CDD3BA5FF45350F4254A9FA4CAF222DA35EE509B90
                                                          Function 00EC7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EC7FAD
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC7FC1
                                                          • GetFileAttributesW.KERNEL32(?), ref: 00EC7FEB
                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00EC8005
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC8017
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC8060
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EC80B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$AttributesFile
                                                          • String ID: *.*
                                                          • API String ID: 769691225-438819550
                                                          • Opcode ID: 20216c561165b36c48c74a1bcb95a05f01668c93f2670dd94bc6ea2dfb4a7ac3
                                                          • Instruction ID: 4fb297fa45eaa96ef48eaeaeaf9d3dbbe2ade99a069976510a634e04518c5b9b
                                                          • Opcode Fuzzy Hash: 20216c561165b36c48c74a1bcb95a05f01668c93f2670dd94bc6ea2dfb4a7ac3
                                                          • Instruction Fuzzy Hash: 7981AF725082419FCB20DB14CA41EAAB3E8BB88354F146C5EF8C5E7250EB36DD4ACB52
                                                          Function 00E55BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00E55C7A
                                                            • Part of subcall function 00E55D0A: GetClientRect.USER32(?,?), ref: 00E55D30
                                                            • Part of subcall function 00E55D0A: GetWindowRect.USER32(?,?), ref: 00E55D71
                                                            • Part of subcall function 00E55D0A: ScreenToClient.USER32(?,?), ref: 00E55D99
                                                          • GetDC.USER32 ref: 00E946F5
                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E94708
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00E94716
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00E9472B
                                                          • ReleaseDC.USER32(?,00000000), ref: 00E94733
                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E947C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                          • String ID: U
                                                          • API String ID: 4009187628-3372436214
                                                          • Opcode ID: 19ed141811c76c5302fd3e3a15e35b72f23292e31e9f3474cb2446cead8cc157
                                                          • Instruction ID: 4a56b93a8660f890d8938432370819b68f60c0fa6199cba64b9d5bc226c8ca10
                                                          • Opcode Fuzzy Hash: 19ed141811c76c5302fd3e3a15e35b72f23292e31e9f3474cb2446cead8cc157
                                                          • Instruction Fuzzy Hash: 9371D0B1400209DFCF218FA4C984EFA7BB5FF4A359F14666AED517A1A6C3309846DF50
                                                          Function 00EC359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EC35E4
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • LoadStringW.USER32(00F22390,?,00000FFF,?), ref: 00EC360A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LoadString$_wcslen
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 4099089115-2391861430
                                                          • Opcode ID: 07e2d54f3ed8f8e9c9bd25dc8a1b9a567f1702d77624f578df39cd931d01b88c
                                                          • Instruction ID: ebf94aeedafae5b37c273ffd1ede2fbd6ded023dc87886f5cb202baa70f643d5
                                                          • Opcode Fuzzy Hash: 07e2d54f3ed8f8e9c9bd25dc8a1b9a567f1702d77624f578df39cd931d01b88c
                                                          • Instruction Fuzzy Hash: 1851917280020DBACF14EBA0CD42EEEBBB5EF14341F146525F505720A2EB315B99DF61
                                                          Function 00EE8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                            • Part of subcall function 00E6912D: GetCursorPos.USER32(?), ref: 00E69141
                                                            • Part of subcall function 00E6912D: ScreenToClient.USER32(00000000,?), ref: 00E6915E
                                                            • Part of subcall function 00E6912D: GetAsyncKeyState.USER32(00000001), ref: 00E69183
                                                            • Part of subcall function 00E6912D: GetAsyncKeyState.USER32(00000002), ref: 00E6919D
                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00EE8B6B
                                                          • ImageList_EndDrag.COMCTL32 ref: 00EE8B71
                                                          • ReleaseCapture.USER32 ref: 00EE8B77
                                                          • SetWindowTextW.USER32(?,00000000), ref: 00EE8C12
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EE8C25
                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00EE8CFF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                          • API String ID: 1924731296-2107944366
                                                          • Opcode ID: c8aa4bb7eeba8766dfbc2c9ac81810b6b5efedb281743f3253ee25a921862282
                                                          • Instruction ID: 95682a74ce38d7ada8bb82f3859c9368628138c2ae3e84c170b9d01092d9bc8a
                                                          • Opcode Fuzzy Hash: c8aa4bb7eeba8766dfbc2c9ac81810b6b5efedb281743f3253ee25a921862282
                                                          • Instruction Fuzzy Hash: B251CC70204348AFD714DF11DC96FAAB7E4FB88714F101A2DF956A72E2CB309949CB62
                                                          Function 00ECC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ECC272
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ECC29A
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ECC2CA
                                                          • GetLastError.KERNEL32 ref: 00ECC322
                                                          • SetEvent.KERNEL32(?), ref: 00ECC336
                                                          • InternetCloseHandle.WININET(00000000), ref: 00ECC341
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                          • String ID:
                                                          • API String ID: 3113390036-3916222277
                                                          • Opcode ID: 6b43bb60b92ee0188549985cc7023c1fa3f5a736462a9a169bf2f389baca1d1a
                                                          • Instruction ID: 59b3f0bc8e9e2ca92430aaf3929e5d1596beeaae74d9209bf903e02133990479
                                                          • Opcode Fuzzy Hash: 6b43bb60b92ee0188549985cc7023c1fa3f5a736462a9a169bf2f389baca1d1a
                                                          • Instruction Fuzzy Hash: 5831D171500748AFD7219F699E88FAB7BFCEB49744B24941EF44AB6210DB32DC078B60
                                                          Function 00EB989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E93AAF,?,?,Bad directive syntax error,00EECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EB98BC
                                                          • LoadStringW.USER32(00000000,?,00E93AAF,?), ref: 00EB98C3
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EB9987
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadMessageModuleString_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                          • API String ID: 858772685-4153970271
                                                          • Opcode ID: eb4769d1c6c380776f144580d7bddd8ab72be8cb4045ef81bc645c0383822afe
                                                          • Instruction ID: 4b7086e9a892ad9d3570eede4922e9c7d8a775bcebb3b6b1c2753aa19102927d
                                                          • Opcode Fuzzy Hash: eb4769d1c6c380776f144580d7bddd8ab72be8cb4045ef81bc645c0383822afe
                                                          • Instruction Fuzzy Hash: FB217E3190021EEBCF15AFA0CC46EEE77B5FF18341F045865FA15760A2EB719658DB11
                                                          Function 00EB209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32 ref: 00EB20AB
                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00EB20C0
                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EB214D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameParentSend
                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                          • API String ID: 1290815626-3381328864
                                                          • Opcode ID: 15cda5aa7ebd6445942e103ed51d066a9a83ff40c1a4c248d64c621139b66448
                                                          • Instruction ID: 465f6968b9ff312712fae1d64d386010c0336a2d69eab8a7adc8a53590308137
                                                          • Opcode Fuzzy Hash: 15cda5aa7ebd6445942e103ed51d066a9a83ff40c1a4c248d64c621139b66448
                                                          • Instruction Fuzzy Hash: 681106B6688707B9F6016224DC06DE7379CCF44B28F20601AFB08F50E2FA65A8426A15
                                                          Function 00E8CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                          • String ID:
                                                          • API String ID: 1282221369-0
                                                          • Opcode ID: 374de0b7c8bd9e53dbc0ce1e4cb9dcdca9debc7bd597a3ba3d6282ba047ac9f5
                                                          • Instruction ID: 127c67198c4d9fd5472d5dc7879912b257b6c9944257c5a2b98f392b9d47d894
                                                          • Opcode Fuzzy Hash: 374de0b7c8bd9e53dbc0ce1e4cb9dcdca9debc7bd597a3ba3d6282ba047ac9f5
                                                          • Instruction Fuzzy Hash: A5615B72A05304AFEF31BFB49C81A697BD5EF06314F24516EFA4CB7282DA319D028760
                                                          Function 00E68B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00EA6890
                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00EA68A9
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EA68B9
                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00EA68D1
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EA68F2
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E68874,00000000,00000000,00000000,000000FF,00000000), ref: 00EA6901
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EA691E
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E68874,00000000,00000000,00000000,000000FF,00000000), ref: 00EA692D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                          • String ID:
                                                          • API String ID: 1268354404-0
                                                          • Opcode ID: eb244a8b57c52f812c370b1212d311b22e0ad5875278a495895aa83e364067de
                                                          • Instruction ID: cde94ae4c932a97154abd86b9007be35fa63d97b4cc70af7d6bb64081a163558
                                                          • Opcode Fuzzy Hash: eb244a8b57c52f812c370b1212d311b22e0ad5875278a495895aa83e364067de
                                                          • Instruction Fuzzy Hash: 5B51BAB4600209EFDB20CF25DC95FAA3BB5FB59794F141618F912AB2A0DB70E981DB40
                                                          Function 00ECC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ECC182
                                                          • GetLastError.KERNEL32 ref: 00ECC195
                                                          • SetEvent.KERNEL32(?), ref: 00ECC1A9
                                                            • Part of subcall function 00ECC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ECC272
                                                            • Part of subcall function 00ECC253: GetLastError.KERNEL32 ref: 00ECC322
                                                            • Part of subcall function 00ECC253: SetEvent.KERNEL32(?), ref: 00ECC336
                                                            • Part of subcall function 00ECC253: InternetCloseHandle.WININET(00000000), ref: 00ECC341
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                          • String ID:
                                                          • API String ID: 337547030-0
                                                          • Opcode ID: 1b82a469cfe521558adf37a89db4afc471a5cd4a16d818de0fb56a342587d313
                                                          • Instruction ID: 0af9d80452e9f9c2273bcc336e0df996013a1a23414ac6808e58628b6b82895a
                                                          • Opcode Fuzzy Hash: 1b82a469cfe521558adf37a89db4afc471a5cd4a16d818de0fb56a342587d313
                                                          • Instruction Fuzzy Hash: 5831C371500A44EFDB248FB6DE44F66BBF8FF18304B24541DF95AA6620D732E8169B60
                                                          Function 00EB25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB3A57
                                                            • Part of subcall function 00EB3A3D: GetCurrentThreadId.KERNEL32 ref: 00EB3A5E
                                                            • Part of subcall function 00EB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EB25B3), ref: 00EB3A65
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EB25BD
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EB25DB
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EB25DF
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EB25E9
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EB2601
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EB2605
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EB260F
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EB2623
                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EB2627
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: 9c61171d2bed6455133e3c8241acec8e2970284b09962a10c6f1e967da4860ab
                                                          • Instruction ID: 6aa9a9dddfb43dd0b86682e85007c4d0fceaf9924e112d21fde1c21650d555ef
                                                          • Opcode Fuzzy Hash: 9c61171d2bed6455133e3c8241acec8e2970284b09962a10c6f1e967da4860ab
                                                          • Instruction Fuzzy Hash: A001D830390254BBFB1067699CCAF9A7FA9DF4EB12F201015F354BE0D1C9E114498A6A
                                                          Function 00EB1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EB1449,?,?,00000000), ref: 00EB180C
                                                          • HeapAlloc.KERNEL32(00000000,?,00EB1449,?,?,00000000), ref: 00EB1813
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EB1449,?,?,00000000), ref: 00EB1828
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00EB1449,?,?,00000000), ref: 00EB1830
                                                          • DuplicateHandle.KERNEL32(00000000,?,00EB1449,?,?,00000000), ref: 00EB1833
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EB1449,?,?,00000000), ref: 00EB1843
                                                          • GetCurrentProcess.KERNEL32(00EB1449,00000000,?,00EB1449,?,?,00000000), ref: 00EB184B
                                                          • DuplicateHandle.KERNEL32(00000000,?,00EB1449,?,?,00000000), ref: 00EB184E
                                                          • CreateThread.KERNEL32(00000000,00000000,00EB1874,00000000,00000000,00000000), ref: 00EB1868
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: 94fad3c5907584200ca578d15acc1d179a2af40fadd5b135dba12aef40488798
                                                          • Instruction ID: 20d0ed72d3f13dbdb1d23dfd56a90c653a4b44eb6b1ec6b9c86a0f8dc15eeffb
                                                          • Opcode Fuzzy Hash: 94fad3c5907584200ca578d15acc1d179a2af40fadd5b135dba12aef40488798
                                                          • Instruction Fuzzy Hash: 9801BF75241348BFE710AB65DC8DF573B6CEB89B11F504451FA05EF192C6709805CB20
                                                          Function 00E83E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID: }}$}}$}}
                                                          • API String ID: 1036877536-1495402609
                                                          • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                          • Instruction ID: 083004918d73929147989055dc49d7e12774d17be860156de592089078b578e1
                                                          • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                          • Instruction Fuzzy Hash: 31A159B1E003879FDB15EF28C8917AEBBE5EF61354F1451ADE68DBB282C2348941C791
                                                          Function 00EDA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EBD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EBD501
                                                            • Part of subcall function 00EBD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EBD50F
                                                            • Part of subcall function 00EBD4DC: CloseHandle.KERNEL32(00000000), ref: 00EBD5DC
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EDA16D
                                                          • GetLastError.KERNEL32 ref: 00EDA180
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EDA1B3
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EDA268
                                                          • GetLastError.KERNEL32(00000000), ref: 00EDA273
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EDA2C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2533919879-2896544425
                                                          • Opcode ID: ec6f6ab876f01f045fce2669fee5bdc37960efb6e7363b916b215e4380a316f2
                                                          • Instruction ID: b6724b3ace7900ed99ce86b7b7fe8cebb111198703f304029b0578296bac69e2
                                                          • Opcode Fuzzy Hash: ec6f6ab876f01f045fce2669fee5bdc37960efb6e7363b916b215e4380a316f2
                                                          • Instruction Fuzzy Hash: B661AF702092429FD710DF15C894F16BBE1EF44318F18949DE4666B7A3C772ED4ACB92
                                                          Function 00EE3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EE3925
                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00EE393A
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EE3954
                                                          • _wcslen.LIBCMT ref: 00EE3999
                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00EE39C6
                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EE39F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcslen
                                                          • String ID: SysListView32
                                                          • API String ID: 2147712094-78025650
                                                          • Opcode ID: 3cfeeeae9f0b2571037a5c19da99853fa462681008ccc553d0fcd99d1e38f218
                                                          • Instruction ID: 1df4078efbbdae57e0fe5df681ede744af75c79d7e5ad1a30709c7d140323708
                                                          • Opcode Fuzzy Hash: 3cfeeeae9f0b2571037a5c19da99853fa462681008ccc553d0fcd99d1e38f218
                                                          • Instruction Fuzzy Hash: 6241C171A0035DABEF219F65CC49BEA7BA9EF48354F101526F948F7282D371DA84CB90
                                                          Function 00EBBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EBBCFD
                                                          • IsMenu.USER32(00000000), ref: 00EBBD1D
                                                          • CreatePopupMenu.USER32 ref: 00EBBD53
                                                          • GetMenuItemCount.USER32(017B6678), ref: 00EBBDA4
                                                          • InsertMenuItemW.USER32(017B6678,?,00000001,00000030), ref: 00EBBDCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                          • String ID: 0$2
                                                          • API String ID: 93392585-3793063076
                                                          • Opcode ID: a55de5c3da7cb256f6f519fd91272329c97a886ba01d2fe9b4ad1e8b7a3222b4
                                                          • Instruction ID: 6b14ecae847495693e335259a1d0866a98d35afcf7dc681d13c9353134cbcbb7
                                                          • Opcode Fuzzy Hash: a55de5c3da7cb256f6f519fd91272329c97a886ba01d2fe9b4ad1e8b7a3222b4
                                                          • Instruction Fuzzy Hash: 60519C70A042099FDF21CFA9D884BEFBBF4AF45318F245219E451FB290D7B89945CB61
                                                          Function 00E72D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 00E72D4B
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00E72D53
                                                          • _ValidateLocalCookies.LIBCMT ref: 00E72DE1
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00E72E0C
                                                          • _ValidateLocalCookies.LIBCMT ref: 00E72E61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: &H$csm
                                                          • API String ID: 1170836740-1242228090
                                                          • Opcode ID: 9786ac1cb27068d873dcde8f92da623bfb70e83b2e62079ff57075ac046f26fc
                                                          • Instruction ID: e4c76263dbd152f6906d9fa4e0c52ac6a56596f0136acbd18e228c73a32962dd
                                                          • Opcode Fuzzy Hash: 9786ac1cb27068d873dcde8f92da623bfb70e83b2e62079ff57075ac046f26fc
                                                          • Instruction Fuzzy Hash: 0F418234E002099BCF24DF68C855A9EBBA5FF44318F14D159EA18BB292D731EA05CB91
                                                          Function 00EBC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000000,00007F03), ref: 00EBC913
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: IconLoad
                                                          • String ID: blank$info$question$stop$warning
                                                          • API String ID: 2457776203-404129466
                                                          • Opcode ID: 0aff07a3b599d8e1f89cc633450d130a3272fb93e455ed68ad91a1678c1450e7
                                                          • Instruction ID: 1517e1c8c3897fb048d42978c6c277472172796c2ed2efdd856af8d819f59a49
                                                          • Opcode Fuzzy Hash: 0aff07a3b599d8e1f89cc633450d130a3272fb93e455ed68ad91a1678c1450e7
                                                          • Instruction Fuzzy Hash: F211E73268D307BAB7059B549C82CEB67DCDF95369B30502AF508F61C2EBA0AE416265
                                                          Function 00EBDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                          • String ID: 0.0.0.0
                                                          • API String ID: 642191829-3771769585
                                                          • Opcode ID: 8bbb7e8e940edd9c39638877e2e06ea5ffbac014650b1ed1a3b5867e249fc52c
                                                          • Instruction ID: dda826da9cee377fe16db60fc54c3f24f1c6d937877d8b663ff187c5f5b42e89
                                                          • Opcode Fuzzy Hash: 8bbb7e8e940edd9c39638877e2e06ea5ffbac014650b1ed1a3b5867e249fc52c
                                                          • Instruction Fuzzy Hash: FD110671908209AFCB24AB31DC4AEEF77BCDF51714F10116AF549BA091FF71DA818A50
                                                          Function 00EE9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • GetSystemMetrics.USER32(0000000F), ref: 00EE9FC7
                                                          • GetSystemMetrics.USER32(0000000F), ref: 00EE9FE7
                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EEA224
                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EEA242
                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EEA263
                                                          • ShowWindow.USER32(00000003,00000000), ref: 00EEA282
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00EEA2A7
                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00EEA2CA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                          • String ID:
                                                          • API String ID: 1211466189-0
                                                          • Opcode ID: 1907ac0d8ed71dd2321ed6297273b1ec7334f54cf4b04bceffd68e0532a43188
                                                          • Instruction ID: cceea2755f8f7da11e368d611f822c89046664bfd3044a91d0a859453134d6d9
                                                          • Opcode Fuzzy Hash: 1907ac0d8ed71dd2321ed6297273b1ec7334f54cf4b04bceffd68e0532a43188
                                                          • Instruction Fuzzy Hash: C2B1B730600259EFDF14CF6AC9847AA7BB2BF48705F089079ED89AB2A5D731A940CB51
                                                          Function 00EBED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$LocalTime
                                                          • String ID:
                                                          • API String ID: 952045576-0
                                                          • Opcode ID: fef1f15ab35d3e96c226f3be700e95802ea00509dd31db48171ee359ced9e7c0
                                                          • Instruction ID: 10655f1e9e400e59ef0d98257c58fc659a830c770e6c20113532fa1ca248d33b
                                                          • Opcode Fuzzy Hash: fef1f15ab35d3e96c226f3be700e95802ea00509dd31db48171ee359ced9e7c0
                                                          • Instruction Fuzzy Hash: 0241BE65C1025876CB11EBB48C8A9CFB7FCAF45300F10A566E618F3262FB34E245C3A6
                                                          Function 00E6F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EA682C,00000004,00000000,00000000), ref: 00E6F953
                                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00EA682C,00000004,00000000,00000000), ref: 00EAF3D1
                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EA682C,00000004,00000000,00000000), ref: 00EAF454
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: a36e914e64adade528775b510082c9f4cdb220e3bb31ab77b031184988557ccf
                                                          • Instruction ID: 41174dc67e6730a3da3a95a80f84bacd2bc2813d7d9a2613c85c29efcd39deca
                                                          • Opcode Fuzzy Hash: a36e914e64adade528775b510082c9f4cdb220e3bb31ab77b031184988557ccf
                                                          • Instruction Fuzzy Hash: 04412D30544780BEDB388BB9F8C876A7BA1ABDA398F14743DF0977A660C671E485D710
                                                          Function 00EE2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00EE2D1B
                                                          • GetDC.USER32(00000000), ref: 00EE2D23
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE2D2E
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00EE2D3A
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EE2D76
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EE2D87
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EE5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00EE2DC2
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EE2DE1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: 7cb18ed52bc06d01f890da563c72bb6db152da8854558898c0090546b08b04fb
                                                          • Instruction ID: e2b104d6e3553e33fd4425ec9c8d36dd7f2095681e557e98e826e978091af34c
                                                          • Opcode Fuzzy Hash: 7cb18ed52bc06d01f890da563c72bb6db152da8854558898c0090546b08b04fb
                                                          • Instruction Fuzzy Hash: 4A318B72201298BFEB118F558C8AFEB3BADEB49715F144055FF08AE291C6759C42CBA1
                                                          Function 00EB5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 8205e37dc3b46ecc7714a2222793564e49c4c54b81662a67344a6964bc3c4b97
                                                          • Instruction ID: b2a6cc6d3541fc280105fae3f733dec01f132bf88ac1d80ee371e6102f5ae0b3
                                                          • Opcode Fuzzy Hash: 8205e37dc3b46ecc7714a2222793564e49c4c54b81662a67344a6964bc3c4b97
                                                          • Instruction Fuzzy Hash: 4321C973B40B1D77E21455259D82FFB739CAF2038CF646021FD08BA585FB60EE1182A5
                                                          Function 00ED4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: 18463fff09591e8c94b835b5fc72396ace18b8892549805bec877bd430279b32
                                                          • Instruction ID: 6e619d2d8588eee83e8bbd87e1ba2a70f5c88a10b6d06d6605d30f0221174d24
                                                          • Opcode Fuzzy Hash: 18463fff09591e8c94b835b5fc72396ace18b8892549805bec877bd430279b32
                                                          • Instruction Fuzzy Hash: E6D18F72A0060A9FDB10CF98C881BAEB7B5FF48344F14946AE915BB391E771DD46CB90
                                                          Function 00E91522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E915CE
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E91651
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E917FB,?,00E917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E916E4
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E916FB
                                                            • Part of subcall function 00E83820: RtlAllocateHeap.NTDLL(00000000,?,00F21444,?,00E6FDF5,?,?,00E5A976,00000010,00F21440,00E513FC,?,00E513C6,?,00E51129), ref: 00E83852
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E91777
                                                          • __freea.LIBCMT ref: 00E917A2
                                                          • __freea.LIBCMT ref: 00E917AE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                          • String ID:
                                                          • API String ID: 2829977744-0
                                                          • Opcode ID: 92ce8f4c551660158c100e6135d49fcec69adf2625fe10ec5dfdfe9054563d0f
                                                          • Instruction ID: 5a5fb3fd5f8ff943ebc5f58c735ebc836ec14117acb63a0cd0649bb39b9a6dc3
                                                          • Opcode Fuzzy Hash: 92ce8f4c551660158c100e6135d49fcec69adf2625fe10ec5dfdfe9054563d0f
                                                          • Instruction Fuzzy Hash: CF91A072E00217AEDF218EA4C881AEE7BB5AF49714F19669AF905F7181D735DC40CBA0
                                                          Function 00ED4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit
                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                          • API String ID: 2610073882-625585964
                                                          • Opcode ID: 2c6cbe7ba052d016819323356be7f84bf922c4b04ca5c2b1eb34819c0688729b
                                                          • Instruction ID: b89d5851f79ecaf866ab8ec1ce26296962c9822e92fca701652e8ad83862a77a
                                                          • Opcode Fuzzy Hash: 2c6cbe7ba052d016819323356be7f84bf922c4b04ca5c2b1eb34819c0688729b
                                                          • Instruction Fuzzy Hash: B691A0B0A00219AFCF20CFA5D884FEEBBB8EF55714F10955AF515BB280D7709942CBA0
                                                          Function 00EC1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EC125C
                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EC1284
                                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EC12A8
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EC12D8
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EC135F
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EC13C4
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EC1430
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                          • String ID:
                                                          • API String ID: 2550207440-0
                                                          • Opcode ID: 7bccce38ef5d32f79a6692e20938506158fd1479fdb4e569fd27508cf39c907d
                                                          • Instruction ID: a86801ce569e19746c1a2347fc30f82ebd84067831d448a2ce946df51705c1a3
                                                          • Opcode Fuzzy Hash: 7bccce38ef5d32f79a6692e20938506158fd1479fdb4e569fd27508cf39c907d
                                                          • Instruction Fuzzy Hash: 0891E1759002089FDB04DF98C884FBEB7B5FF46315F2050A9E950FB2A2D776A942CB50
                                                          Function 00E6948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 8959e7a60e224c85308655a1802229211583af57ef346a542e6ad81b3711a07c
                                                          • Instruction ID: 2eb8f798200f898d90f93ac94eb0b6c0776064100e928b925ab7a3aaa35171d1
                                                          • Opcode Fuzzy Hash: 8959e7a60e224c85308655a1802229211583af57ef346a542e6ad81b3711a07c
                                                          • Instruction Fuzzy Hash: 69914A71D40219EFCB10CFA9DC84AEEBBB8FF49324F145059E516BB252D774A942CBA0
                                                          Function 00ED3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00ED396B
                                                          • CharUpperBuffW.USER32(?,?), ref: 00ED3A7A
                                                          • _wcslen.LIBCMT ref: 00ED3A8A
                                                          • VariantClear.OLEAUT32(?), ref: 00ED3C1F
                                                            • Part of subcall function 00EC0CDF: VariantInit.OLEAUT32(00000000), ref: 00EC0D1F
                                                            • Part of subcall function 00EC0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EC0D28
                                                            • Part of subcall function 00EC0CDF: VariantClear.OLEAUT32(?), ref: 00EC0D34
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                          • API String ID: 4137639002-1221869570
                                                          • Opcode ID: 83532e4470da9c7a29f53111adacdf0f1b8c004f49ccd6643f4938489ab42ce0
                                                          • Instruction ID: d0231483e5c0d7465ecba75c6e8946a4dd2e395bacc39aa2765ce5df3b9f69fa
                                                          • Opcode Fuzzy Hash: 83532e4470da9c7a29f53111adacdf0f1b8c004f49ccd6643f4938489ab42ce0
                                                          • Instruction Fuzzy Hash: 62918D756083059FC704DF24C48096AB7E5FF89314F14992EF889AB352DB31EE4ACB92
                                                          Function 00ED4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?,?,00EB035E), ref: 00EB002B
                                                            • Part of subcall function 00EB000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?), ref: 00EB0046
                                                            • Part of subcall function 00EB000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?), ref: 00EB0054
                                                            • Part of subcall function 00EB000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?), ref: 00EB0064
                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00ED4C51
                                                          • _wcslen.LIBCMT ref: 00ED4D59
                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00ED4DCF
                                                          • CoTaskMemFree.OLE32(?), ref: 00ED4DDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                          • String ID: NULL Pointer assignment
                                                          • API String ID: 614568839-2785691316
                                                          • Opcode ID: a3a24a016a5b09c71e75d76d6912a550fcaa9913e525c7311547be18e829d869
                                                          • Instruction ID: f269545c0bc78f6060cd4041135c101423e411b04e7e011c7d4c1ecff7f72e83
                                                          • Opcode Fuzzy Hash: a3a24a016a5b09c71e75d76d6912a550fcaa9913e525c7311547be18e829d869
                                                          • Instruction Fuzzy Hash: C59117B1D0021DAFDF14DFA4C891AEEB7B9FF08304F10556AE915BB281DB309A498F60
                                                          Function 00EE20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenu.USER32(?), ref: 00EE2183
                                                          • GetMenuItemCount.USER32(00000000), ref: 00EE21B5
                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EE21DD
                                                          • _wcslen.LIBCMT ref: 00EE2213
                                                          • GetMenuItemID.USER32(?,?), ref: 00EE224D
                                                          • GetSubMenu.USER32(?,?), ref: 00EE225B
                                                            • Part of subcall function 00EB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB3A57
                                                            • Part of subcall function 00EB3A3D: GetCurrentThreadId.KERNEL32 ref: 00EB3A5E
                                                            • Part of subcall function 00EB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EB25B3), ref: 00EB3A65
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EE22E3
                                                            • Part of subcall function 00EBE97B: Sleep.KERNEL32 ref: 00EBE9F3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                          • String ID:
                                                          • API String ID: 4196846111-0
                                                          • Opcode ID: 894421d122724de81a7a8fd170c39185ee3fa6e671f19967a9c84f44b7910380
                                                          • Instruction ID: ed6304bd6b058a4430a17f2dce0cfd01c4727f121e623edb35bbf5db0e4ca987
                                                          • Opcode Fuzzy Hash: 894421d122724de81a7a8fd170c39185ee3fa6e671f19967a9c84f44b7910380
                                                          • Instruction Fuzzy Hash: 69718D75A00249AFCB10DF65C881AAEBBF9EF88314F14945DEA16FB351D734EE418B90
                                                          Function 00EE7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(017B6830), ref: 00EE7F37
                                                          • IsWindowEnabled.USER32(017B6830), ref: 00EE7F43
                                                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00EE801E
                                                          • SendMessageW.USER32(017B6830,000000B0,?,?), ref: 00EE8051
                                                          • IsDlgButtonChecked.USER32(?,?), ref: 00EE8089
                                                          • GetWindowLongW.USER32(017B6830,000000EC), ref: 00EE80AB
                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EE80C3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                          • String ID:
                                                          • API String ID: 4072528602-0
                                                          • Opcode ID: 5786ee30bd7d796ca2b5a3008290d1c60feed8fd4f7ab12e97148926c2540fd3
                                                          • Instruction ID: e2fa87fcdc2b54f1577d8c5175a966159b1acf6818cc0e44ba4e1fda26585058
                                                          • Opcode Fuzzy Hash: 5786ee30bd7d796ca2b5a3008290d1c60feed8fd4f7ab12e97148926c2540fd3
                                                          • Instruction Fuzzy Hash: 9A718C3460828CAFEB259F66C894FEA7BB9FF09304F145459F985B7261CB31A845DB10
                                                          Function 00EBAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 00EBAEF9
                                                          • GetKeyboardState.USER32(?), ref: 00EBAF0E
                                                          • SetKeyboardState.USER32(?), ref: 00EBAF6F
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00EBAF9D
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00EBAFBC
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00EBAFFD
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EBB020
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: e3bde42c8f28e3b6f38bd608a82391a53f58aaf674dbca31b55a327bc8810ca4
                                                          • Instruction ID: 3b04fbada93c49a454335f0368a7aa244abd88bf5696c4b58231c749f3caffa1
                                                          • Opcode Fuzzy Hash: e3bde42c8f28e3b6f38bd608a82391a53f58aaf674dbca31b55a327bc8810ca4
                                                          • Instruction Fuzzy Hash: A751DFA0A046D57DFB369234C845BFBBEE95B06308F0C9499E1E9658D2C3E8E8C8D751
                                                          Function 00EBACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(00000000), ref: 00EBAD19
                                                          • GetKeyboardState.USER32(?), ref: 00EBAD2E
                                                          • SetKeyboardState.USER32(?), ref: 00EBAD8F
                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EBADBB
                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EBADD8
                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EBAE17
                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EBAE38
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 3718cdf1931cfdd6412920d74bcc3279a17bd9c440c68ab1ace7de5011b1a2d2
                                                          • Instruction ID: ae1aef5a961deaaf72a845d08770a7d85ba52152f5286f6692362eb8b6764eb6
                                                          • Opcode Fuzzy Hash: 3718cdf1931cfdd6412920d74bcc3279a17bd9c440c68ab1ace7de5011b1a2d2
                                                          • Instruction Fuzzy Hash: 6951D3A15047D53DFF3383248C95BFBBEE95B46308F0C9598E1D5668D2C294EC88D762
                                                          Function 00E8542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(00E93CD6,?,?,?,?,?,?,?,?,00E85BA3,?,?,00E93CD6,?,?), ref: 00E85470
                                                          • __fassign.LIBCMT ref: 00E854EB
                                                          • __fassign.LIBCMT ref: 00E85506
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00E93CD6,00000005,00000000,00000000), ref: 00E8552C
                                                          • WriteFile.KERNEL32(?,00E93CD6,00000000,00E85BA3,00000000,?,?,?,?,?,?,?,?,?,00E85BA3,?), ref: 00E8554B
                                                          • WriteFile.KERNEL32(?,?,00000001,00E85BA3,00000000,?,?,?,?,?,?,?,?,?,00E85BA3,?), ref: 00E85584
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: 62daef8c8efc40eb0a7a73d7778fb0723e1222071df2f9701c0716337e8415ac
                                                          • Instruction ID: 2605eb678539587bb719e9b29b7a65fd70b249dd9d73587941ee56912cf7b706
                                                          • Opcode Fuzzy Hash: 62daef8c8efc40eb0a7a73d7778fb0723e1222071df2f9701c0716337e8415ac
                                                          • Instruction Fuzzy Hash: 9C51A272A006499FDB10DFA8D885AEEBBF9EF09300F14515AF959F7291DB309A41CF60
                                                          Function 00ED10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00ED304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00ED307A
                                                            • Part of subcall function 00ED304E: _wcslen.LIBCMT ref: 00ED309B
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00ED1112
                                                          • WSAGetLastError.WSOCK32 ref: 00ED1121
                                                          • WSAGetLastError.WSOCK32 ref: 00ED11C9
                                                          • closesocket.WSOCK32(00000000), ref: 00ED11F9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 2675159561-0
                                                          • Opcode ID: 0b5f4637ece1d3cd883d07ec95cc22a2dc763e167336099638ea643fd3161d20
                                                          • Instruction ID: 6268aa167871469a2134e4bb9341585e1815b320acc87486617666316a203dcf
                                                          • Opcode Fuzzy Hash: 0b5f4637ece1d3cd883d07ec95cc22a2dc763e167336099638ea643fd3161d20
                                                          • Instruction Fuzzy Hash: 7641D631600218AFDB109F64C884BA9B7E9EF45368F14909AFD15BF391C770AD46CBA1
                                                          Function 00EBCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EBDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EBCF22,?), ref: 00EBDDFD
                                                            • Part of subcall function 00EBDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EBCF22,?), ref: 00EBDE16
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00EBCF45
                                                          • MoveFileW.KERNEL32(?,?), ref: 00EBCF7F
                                                          • _wcslen.LIBCMT ref: 00EBD005
                                                          • _wcslen.LIBCMT ref: 00EBD01B
                                                          • SHFileOperationW.SHELL32(?), ref: 00EBD061
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 3164238972-1173974218
                                                          • Opcode ID: f13c47637809d6cb323c505ee836a5e749eea6c430471c095112b4cee9032c0b
                                                          • Instruction ID: 79017eb695c34971361d577403317ba60636e4951d84160e313e62a0b1c25159
                                                          • Opcode Fuzzy Hash: f13c47637809d6cb323c505ee836a5e749eea6c430471c095112b4cee9032c0b
                                                          • Instruction Fuzzy Hash: 4F4156719092199FDF12EFA4DD81AEEB7F9AF08340F1410E6E509FB142EB34A649CB50
                                                          Function 00EE2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EE2E1C
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE2E4F
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE2E84
                                                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00EE2EB6
                                                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00EE2EE0
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE2EF1
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EE2F0B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$MessageSend
                                                          • String ID:
                                                          • API String ID: 2178440468-0
                                                          • Opcode ID: 3a76af6720aa8ce085d7a29b7447d228fa2968c16b4c1c0f3d9f082aea53363d
                                                          • Instruction ID: 2889ddca6bd2d8ee96cb337bd64c400411d432e46860c7e0b134ba197b50d652
                                                          • Opcode Fuzzy Hash: 3a76af6720aa8ce085d7a29b7447d228fa2968c16b4c1c0f3d9f082aea53363d
                                                          • Instruction Fuzzy Hash: 0E312A306042A99FEB22CF5ADC84F6537E8FB5A714F1411A8FA00AF2B1CB71AC45DB41
                                                          Function 00EB7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB7769
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB778F
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00EB7792
                                                          • SysAllocString.OLEAUT32(?), ref: 00EB77B0
                                                          • SysFreeString.OLEAUT32(?), ref: 00EB77B9
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00EB77DE
                                                          • SysAllocString.OLEAUT32(?), ref: 00EB77EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: 669e9ada5348e53bf3de40f67762068f23bfe121c75286851c63f9eec703ed94
                                                          • Instruction ID: fb1c15d1181cad3d8d29d48d9e2aa2e24c6fa7f8d2f777957eb0b39054e1894a
                                                          • Opcode Fuzzy Hash: 669e9ada5348e53bf3de40f67762068f23bfe121c75286851c63f9eec703ed94
                                                          • Instruction Fuzzy Hash: 1C21B276604229AFDB10DFA9DC88CFB77ACEB493647108026F954EF1A0DA70DC46C760
                                                          Function 00EB77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB7842
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB7868
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00EB786B
                                                          • SysAllocString.OLEAUT32 ref: 00EB788C
                                                          • SysFreeString.OLEAUT32 ref: 00EB7895
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00EB78AF
                                                          • SysAllocString.OLEAUT32(?), ref: 00EB78BD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: 81ad11c01923015e823673a85ccd02b392ed43ad259d98014ff79ced0c2d881e
                                                          • Instruction ID: 2c12608c6d42c70680772f4526b4c583de50b89d187ecee75a56de928ac0dcd4
                                                          • Opcode Fuzzy Hash: 81ad11c01923015e823673a85ccd02b392ed43ad259d98014ff79ced0c2d881e
                                                          • Instruction Fuzzy Hash: 4A21B331608218AFDB149FB9EC8CDEB77ECEB483647108125F955EB2A1D670DC45CB64
                                                          Function 00EC04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00EC04F2
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EC052E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateHandlePipe
                                                          • String ID: nul
                                                          • API String ID: 1424370930-2873401336
                                                          • Opcode ID: 2501f3ea212b8cfe2da320060ec9eac05b97562fdbef4ac468ff17df7b955e4d
                                                          • Instruction ID: 47bcbd280d336eac404eadd1a477ab93373155cea04556c48fa67d5c560f7fe9
                                                          • Opcode Fuzzy Hash: 2501f3ea212b8cfe2da320060ec9eac05b97562fdbef4ac468ff17df7b955e4d
                                                          • Instruction Fuzzy Hash: F7213975500309EFDF309F29D944F9A7BA4AF44728F204A1DF8A1A62E0D7729956CF20
                                                          Function 00EC05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00EC05C6
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EC0601
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateHandlePipe
                                                          • String ID: nul
                                                          • API String ID: 1424370930-2873401336
                                                          • Opcode ID: e5aa482e3b2ebb23fe300c869b80a98075d5971effafde6d7c5619c581427e7b
                                                          • Instruction ID: 19b0d7f6a6760c153d97edaa0568142f7d503f03eb97cd62007dee15256e10ea
                                                          • Opcode Fuzzy Hash: e5aa482e3b2ebb23fe300c869b80a98075d5971effafde6d7c5619c581427e7b
                                                          • Instruction Fuzzy Hash: B921A175500315DFDB208F699D44F9A77E8AF85B24F200A1DF8A1F72E0D7729862CB10
                                                          Function 00EE40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E5600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E5604C
                                                            • Part of subcall function 00E5600E: GetStockObject.GDI32(00000011), ref: 00E56060
                                                            • Part of subcall function 00E5600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E5606A
                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EE4112
                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EE411F
                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EE412A
                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EE4139
                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EE4145
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                          • String ID: Msctls_Progress32
                                                          • API String ID: 1025951953-3636473452
                                                          • Opcode ID: e8e15c7e912f2750c35ac5d9c2a945e70a6432c555bb9cdac8b7aad5da02a30f
                                                          • Instruction ID: 26f4e22ccbf2228fc7836ea216986db1bd99c22dd40a86a12f1640dd6290428e
                                                          • Opcode Fuzzy Hash: e8e15c7e912f2750c35ac5d9c2a945e70a6432c555bb9cdac8b7aad5da02a30f
                                                          • Instruction Fuzzy Hash: 8E11B2B214021DBEEF219F65CC85EE77FADEF08798F015110BA18A6190C676DC61DBA4
                                                          Function 00E8D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E8D7A3: _free.LIBCMT ref: 00E8D7CC
                                                          • _free.LIBCMT ref: 00E8D82D
                                                            • Part of subcall function 00E829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000), ref: 00E829DE
                                                            • Part of subcall function 00E829C8: GetLastError.KERNEL32(00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000,00000000), ref: 00E829F0
                                                          • _free.LIBCMT ref: 00E8D838
                                                          • _free.LIBCMT ref: 00E8D843
                                                          • _free.LIBCMT ref: 00E8D897
                                                          • _free.LIBCMT ref: 00E8D8A2
                                                          • _free.LIBCMT ref: 00E8D8AD
                                                          • _free.LIBCMT ref: 00E8D8B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                          • Instruction ID: eadf65006bfe65f3c9bbc05fad1e13c020ba1249290081ed59f91892b444a347
                                                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                          • Instruction Fuzzy Hash: E1112E71584B04AAD621BFB0CC47FCF7BDCAF44700F40582AF29DB64D2DA6AB5058760
                                                          Function 00EBDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EBDA74
                                                          • LoadStringW.USER32(00000000), ref: 00EBDA7B
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EBDA91
                                                          • LoadStringW.USER32(00000000), ref: 00EBDA98
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EBDADC
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00EBDAB9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message
                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                          • API String ID: 4072794657-3128320259
                                                          • Opcode ID: 4453eb5f9be7bba0211b0533dee4e788faeed0fc295654d91d46c25c9421aa50
                                                          • Instruction ID: dd613a057cf6d6d2b25307c93216fc9f5a0e786e26eccf87d02c6d362606ff5b
                                                          • Opcode Fuzzy Hash: 4453eb5f9be7bba0211b0533dee4e788faeed0fc295654d91d46c25c9421aa50
                                                          • Instruction Fuzzy Hash: 460162F250024CBFEB109BA19DC9EE7736CEB08701F500492B71AF6041E6749E898F74
                                                          Function 00EC096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(017AD558,017AD558), ref: 00EC097B
                                                          • EnterCriticalSection.KERNEL32(017AD538,00000000), ref: 00EC098D
                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 00EC099B
                                                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00EC09A9
                                                          • CloseHandle.KERNEL32(?), ref: 00EC09B8
                                                          • InterlockedExchange.KERNEL32(017AD558,000001F6), ref: 00EC09C8
                                                          • LeaveCriticalSection.KERNEL32(017AD538), ref: 00EC09CF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: 3a8ed1d94fe754081ff32376d3b923515ada605e3b46b4ea85cdf76082c5e88a
                                                          • Instruction ID: 5e5fe2ba661e9fd957b4af07d8474dd7374312a88411fc9e7dc824d4d45639f7
                                                          • Opcode Fuzzy Hash: 3a8ed1d94fe754081ff32376d3b923515ada605e3b46b4ea85cdf76082c5e88a
                                                          • Instruction Fuzzy Hash: 94F01932442A46EFD7425BA5EEC8BD6BA39BF45702F502025F202A88B1C775946ACF90
                                                          Function 00ED1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00ED1DC0
                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00ED1DE1
                                                          • WSAGetLastError.WSOCK32 ref: 00ED1DF2
                                                          • htons.WSOCK32(?,?,?,?,?), ref: 00ED1EDB
                                                          • inet_ntoa.WSOCK32(?), ref: 00ED1E8C
                                                            • Part of subcall function 00EB39E8: _strlen.LIBCMT ref: 00EB39F2
                                                            • Part of subcall function 00ED3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00ECEC0C), ref: 00ED3240
                                                          • _strlen.LIBCMT ref: 00ED1F35
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                          • String ID:
                                                          • API String ID: 3203458085-0
                                                          • Opcode ID: 7898eb5945909c7102877aef1b221b8b0d587ff68b28feab09478eb1bbed14c3
                                                          • Instruction ID: ee2a97231a26791ea47850bae231a94b0968434208ba6f9ba875174788c54a1e
                                                          • Opcode Fuzzy Hash: 7898eb5945909c7102877aef1b221b8b0d587ff68b28feab09478eb1bbed14c3
                                                          • Instruction Fuzzy Hash: 30B1B031204340AFC324DF24C885E6A77E5EF84318F54A98DF8566B3A2DB71ED46CB91
                                                          Function 00E55D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 00E55D30
                                                          • GetWindowRect.USER32(?,?), ref: 00E55D71
                                                          • ScreenToClient.USER32(?,?), ref: 00E55D99
                                                          • GetClientRect.USER32(?,?), ref: 00E55ED7
                                                          • GetWindowRect.USER32(?,?), ref: 00E55EF8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$Screen
                                                          • String ID:
                                                          • API String ID: 1296646539-0
                                                          • Opcode ID: 47fac3ff1819ae4762e3cfac6d8d9601baedb050fd5e49b09eb7607a06592895
                                                          • Instruction ID: 59f918fe59e7c78620de23be7fa06ca29eac4b316e0aad318f8fe70e6e13537d
                                                          • Opcode Fuzzy Hash: 47fac3ff1819ae4762e3cfac6d8d9601baedb050fd5e49b09eb7607a06592895
                                                          • Instruction Fuzzy Hash: 50B17D75A0064ADBDF14CFA9C481BEEB7F1FF44315F14A81AE8A9E7250DB30AA45CB50
                                                          Function 00E801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 00E800BA
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E800D6
                                                          • __allrem.LIBCMT ref: 00E800ED
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8010B
                                                          • __allrem.LIBCMT ref: 00E80122
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E80140
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                          • Instruction ID: 2613210ff04abbd60585775583973f27d03b6f1217c7b91e691c2fc378f0b8c9
                                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                          • Instruction Fuzzy Hash: 2081E572A01B06AFE724AE68CC41B6A73E9AF41734F24A53AF55DF6281EB70D9048750
                                                          Function 00E861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E782D9,00E782D9,?,?,?,00E8644F,00000001,00000001,?), ref: 00E86258
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E8644F,00000001,00000001,?,?,?,?), ref: 00E862DE
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E863D8
                                                          • __freea.LIBCMT ref: 00E863E5
                                                            • Part of subcall function 00E83820: RtlAllocateHeap.NTDLL(00000000,?,00F21444,?,00E6FDF5,?,?,00E5A976,00000010,00F21440,00E513FC,?,00E513C6,?,00E51129), ref: 00E83852
                                                          • __freea.LIBCMT ref: 00E863EE
                                                          • __freea.LIBCMT ref: 00E86413
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1414292761-0
                                                          • Opcode ID: 8b8c25d695712d3e0a4cf79deea9b4f75f9f9eefadf8d8260f46b9d7aba7a41b
                                                          • Instruction ID: 1d7cdff645024766ba3c9af59764c0568b45ae6abdb66f39c8457f0431a9f3fd
                                                          • Opcode Fuzzy Hash: 8b8c25d695712d3e0a4cf79deea9b4f75f9f9eefadf8d8260f46b9d7aba7a41b
                                                          • Instruction Fuzzy Hash: BC51E272A00616AFEB25AF64DC81EAF77AAEB94714F245269FC0DF6150EB34DC40C760
                                                          Function 00EDBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDB6AE,?,?), ref: 00EDC9B5
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDC9F1
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA68
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EDBCCA
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EDBD25
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EDBD6A
                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EDBD99
                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EDBDF3
                                                          • RegCloseKey.ADVAPI32(?), ref: 00EDBDFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                          • String ID:
                                                          • API String ID: 1120388591-0
                                                          • Opcode ID: c56c66479f6c28c7a6a4481625224a89d7160be1f08dbae7f321089c431e8d87
                                                          • Instruction ID: 2e21804ca7f0ff8011e280f2beaf3f5ef688ffcc1e3584e987f4c2dac62ff082
                                                          • Opcode Fuzzy Hash: c56c66479f6c28c7a6a4481625224a89d7160be1f08dbae7f321089c431e8d87
                                                          • Instruction Fuzzy Hash: 2E81A030208241EFC714DF24C885E6ABBE5FF84308F15995DF4599B2A2DB31ED4ACB92
                                                          Function 00EAF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000035), ref: 00EAF7B9
                                                          • SysAllocString.OLEAUT32(00000001), ref: 00EAF860
                                                          • VariantCopy.OLEAUT32(00EAFA64,00000000), ref: 00EAF889
                                                          • VariantClear.OLEAUT32(00EAFA64), ref: 00EAF8AD
                                                          • VariantCopy.OLEAUT32(00EAFA64,00000000), ref: 00EAF8B1
                                                          • VariantClear.OLEAUT32(?), ref: 00EAF8BB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                          • String ID:
                                                          • API String ID: 3859894641-0
                                                          • Opcode ID: 3bfaf0ebd73f44c4b089689d0469d2f478cc87832bbd912f15ec1d99abd230e9
                                                          • Instruction ID: 43419a201911c81e715d97c2d2af62377603b77347659cd8d7246383dce4263c
                                                          • Opcode Fuzzy Hash: 3bfaf0ebd73f44c4b089689d0469d2f478cc87832bbd912f15ec1d99abd230e9
                                                          • Instruction Fuzzy Hash: 0351C631500310BACF24ABE5D895B6AB3E5EF8A314F246466F805FF292DB74AC41C796
                                                          Function 00EC910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E57620: _wcslen.LIBCMT ref: 00E57625
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00EC94E5
                                                          • _wcslen.LIBCMT ref: 00EC9506
                                                          • _wcslen.LIBCMT ref: 00EC952D
                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00EC9585
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$FileName$OpenSave
                                                          • String ID: X
                                                          • API String ID: 83654149-3081909835
                                                          • Opcode ID: ac5456b93939fcadd096cd891beed964721f511259f31f1c69ab6c612fc36f1d
                                                          • Instruction ID: eefefaa107d2ab85bc7082c5be1141fe023e6e3bcbdbae5bf81444fd5458f131
                                                          • Opcode Fuzzy Hash: ac5456b93939fcadd096cd891beed964721f511259f31f1c69ab6c612fc36f1d
                                                          • Instruction Fuzzy Hash: D3E19D315083408FC724DF24C985F6AB7E5BF85314F14996DF899AB2A2EB31DD06CB92
                                                          Function 00E6920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • BeginPaint.USER32(?,?,?), ref: 00E69241
                                                          • GetWindowRect.USER32(?,?), ref: 00E692A5
                                                          • ScreenToClient.USER32(?,?), ref: 00E692C2
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E692D3
                                                          • EndPaint.USER32(?,?,?,?,?), ref: 00E69321
                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00EA71EA
                                                            • Part of subcall function 00E69339: BeginPath.GDI32(00000000), ref: 00E69357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                          • String ID:
                                                          • API String ID: 3050599898-0
                                                          • Opcode ID: cf58e2eaac6f723c5eb320d5fa51d12c43bad413e03dc524563933b18a1ca9d6
                                                          • Instruction ID: b9bc519cb28ccbdb29a2ee7b98a4fc2ff256010bdb1ca54c0e70118c19f591a9
                                                          • Opcode Fuzzy Hash: cf58e2eaac6f723c5eb320d5fa51d12c43bad413e03dc524563933b18a1ca9d6
                                                          • Instruction Fuzzy Hash: 4341E230145344AFD720DF24EC94FBA7BF8FB5A764F100229F994AB2A2C7309846DB61
                                                          Function 00EC07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EC080C
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EC0847
                                                          • EnterCriticalSection.KERNEL32(?), ref: 00EC0863
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00EC08DC
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EC08F3
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EC0921
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                          • String ID:
                                                          • API String ID: 3368777196-0
                                                          • Opcode ID: 3e3927a4529ee26a060e163e6cf47955579454ba3edcd20d5bf501b229c3fdd9
                                                          • Instruction ID: 20516880f1a5662d1f284e54a342ebf83faaaa63c89423786aec2bc3fb8445a5
                                                          • Opcode Fuzzy Hash: 3e3927a4529ee26a060e163e6cf47955579454ba3edcd20d5bf501b229c3fdd9
                                                          • Instruction Fuzzy Hash: 7E416A71900209EFDF149F54EC85AAA7BB8FF44314F1480A9ED04AE297D731DE66DBA0
                                                          Function 00EE81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EAF3AB,00000000,?,?,00000000,?,00EA682C,00000004,00000000,00000000), ref: 00EE824C
                                                          • EnableWindow.USER32(?,00000000), ref: 00EE8272
                                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00EE82D1
                                                          • ShowWindow.USER32(?,00000004), ref: 00EE82E5
                                                          • EnableWindow.USER32(?,00000001), ref: 00EE830B
                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EE832F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: 3c6314b75dc5c55d83a4049dc74b6c5cc40a1497ed0282462f0dbbef8158f2d2
                                                          • Instruction ID: 4f8b4bd7d8b8b862c6e884a8f78807c71c9e4d0aee3d0ec52da9341d32339716
                                                          • Opcode Fuzzy Hash: 3c6314b75dc5c55d83a4049dc74b6c5cc40a1497ed0282462f0dbbef8158f2d2
                                                          • Instruction Fuzzy Hash: 7041B73060168CEFDB25CF16C995BE47BE0BB0A718F186165E64C6F272C7325846CB50
                                                          Function 00EB4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00EB4C95
                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EB4CB2
                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EB4CEA
                                                          • _wcslen.LIBCMT ref: 00EB4D08
                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EB4D10
                                                          • _wcsstr.LIBVCRUNTIME ref: 00EB4D1A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                          • String ID:
                                                          • API String ID: 72514467-0
                                                          • Opcode ID: 0a284dcd3f36fe2e5dd1d73b07833b1fa7d27b494860c128560b9ad45274e847
                                                          • Instruction ID: 08a77f0cd9ef2aeb99819bc4c8633059f64105c44079b73708296646ca52ec6c
                                                          • Opcode Fuzzy Hash: 0a284dcd3f36fe2e5dd1d73b07833b1fa7d27b494860c128560b9ad45274e847
                                                          • Instruction Fuzzy Hash: 9D2129B22042457BEB155B39EC49EBB7FECDF45B54F109039F805EA1D2EA61CC0186A1
                                                          Function 00EC581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E53A97,?,?,00E52E7F,?,?,?,00000000), ref: 00E53AC2
                                                          • _wcslen.LIBCMT ref: 00EC587B
                                                          • CoInitialize.OLE32(00000000), ref: 00EC5995
                                                          • CoCreateInstance.OLE32(00EEFCF8,00000000,00000001,00EEFB68,?), ref: 00EC59AE
                                                          • CoUninitialize.OLE32 ref: 00EC59CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 3172280962-24824748
                                                          • Opcode ID: 57430e93a84e3dbb6aa1636a049ddbdabb354bc389a6e1c18dfb1bd28f6050f0
                                                          • Instruction ID: 0c269c86b4e058f76b7430a9c680385ad20115fe1f499bcba1cf46b72751bfb0
                                                          • Opcode Fuzzy Hash: 57430e93a84e3dbb6aa1636a049ddbdabb354bc389a6e1c18dfb1bd28f6050f0
                                                          • Instruction Fuzzy Hash: 76D165726047019FC714DF24C580E2ABBE1EF89314F14995DF899AB361DB32EC86CB92
                                                          Function 00EB175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EB0FCA
                                                            • Part of subcall function 00EB0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EB0FD6
                                                            • Part of subcall function 00EB0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EB0FE5
                                                            • Part of subcall function 00EB0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EB0FEC
                                                            • Part of subcall function 00EB0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EB1002
                                                          • GetLengthSid.ADVAPI32(?,00000000,00EB1335), ref: 00EB17AE
                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EB17BA
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00EB17C1
                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00EB17DA
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00EB1335), ref: 00EB17EE
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB17F5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                          • String ID:
                                                          • API String ID: 3008561057-0
                                                          • Opcode ID: bbfa0369622608273616c612b48e1f23ba84322d0b56b3d3c83d3b214c934c24
                                                          • Instruction ID: 2905494fe5085b400020e52728e76ad70e81fc31408188eebbc82b732b2af900
                                                          • Opcode Fuzzy Hash: bbfa0369622608273616c612b48e1f23ba84322d0b56b3d3c83d3b214c934c24
                                                          • Instruction Fuzzy Hash: 2911DF32601218FFDB108FA4DC98BEF7BB8EB42369F604059F441BB110CB31A945CB60
                                                          Function 00EB14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EB14FF
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00EB1506
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EB1515
                                                          • CloseHandle.KERNEL32(00000004), ref: 00EB1520
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EB154F
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00EB1563
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: a711e3787564c9b0cdc91a9bd852a93f47ccaf39f244a4dc9c44c3c86ab0c0f4
                                                          • Instruction ID: 4913ed35e9dbcaf4727e8ed513812d421242f7a25d798f5442b24a9c8fa52481
                                                          • Opcode Fuzzy Hash: a711e3787564c9b0cdc91a9bd852a93f47ccaf39f244a4dc9c44c3c86ab0c0f4
                                                          • Instruction Fuzzy Hash: 1811647210124DAFDB11CFA8ED89BDE3BA9EB48718F144065FA05B6060C3718E659B60
                                                          Function 00E73382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,00E73379,00E72FE5), ref: 00E73390
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E7339E
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E733B7
                                                          • SetLastError.KERNEL32(00000000,?,00E73379,00E72FE5), ref: 00E73409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: bed783ad3721ef739db8c0b2a5cbad153397161a7becd42e7f3dea9e413c58c2
                                                          • Instruction ID: 45e361ba0b58ffe6b7bb1e0305e353c68b6a89ece66228e52916667f1706cb82
                                                          • Opcode Fuzzy Hash: bed783ad3721ef739db8c0b2a5cbad153397161a7becd42e7f3dea9e413c58c2
                                                          • Instruction Fuzzy Hash: 9F012432648316BEA6A567B47C859A72E95EB09379330E22DF538F41F0EF114E027284
                                                          Function 00E82D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,00E85686,00E93CD6,?,00000000,?,00E85B6A,?,?,?,?,?,00E7E6D1,?,00F18A48), ref: 00E82D78
                                                          • _free.LIBCMT ref: 00E82DAB
                                                          • _free.LIBCMT ref: 00E82DD3
                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,00E7E6D1,?,00F18A48,00000010,00E54F4A,?,?,00000000,00E93CD6), ref: 00E82DE0
                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,00E7E6D1,?,00F18A48,00000010,00E54F4A,?,?,00000000,00E93CD6), ref: 00E82DEC
                                                          • _abort.LIBCMT ref: 00E82DF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: 7b55eb3d2e805ce288ab63fd43e07555ddd79ab6c2c8137c10c192d8b84ef5e6
                                                          • Instruction ID: 4272e65fbdbe8cf33c0fa0e65e471aa61b4eb6979872bcb2c0357c118aded87f
                                                          • Opcode Fuzzy Hash: 7b55eb3d2e805ce288ab63fd43e07555ddd79ab6c2c8137c10c192d8b84ef5e6
                                                          • Instruction Fuzzy Hash: A8F0C836585A003BC6123739BC06E5B2999AFC1BA5F35641CFA2CB61E2EF2498025361
                                                          Function 00EE8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E69693
                                                            • Part of subcall function 00E69639: SelectObject.GDI32(?,00000000), ref: 00E696A2
                                                            • Part of subcall function 00E69639: BeginPath.GDI32(?), ref: 00E696B9
                                                            • Part of subcall function 00E69639: SelectObject.GDI32(?,00000000), ref: 00E696E2
                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00EE8A4E
                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00EE8A62
                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00EE8A70
                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00EE8A80
                                                          • EndPath.GDI32(?), ref: 00EE8A90
                                                          • StrokePath.GDI32(?), ref: 00EE8AA0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                          • String ID:
                                                          • API String ID: 43455801-0
                                                          • Opcode ID: f23458d0c0e706571eba9c16dbf2f5bb6c54a87cdc046441ea6fc3ddacaddb3b
                                                          • Instruction ID: 20874dfdabb87afaf9064ae554249bcf8a87d8e7383148b0670f00111a3da6db
                                                          • Opcode Fuzzy Hash: f23458d0c0e706571eba9c16dbf2f5bb6c54a87cdc046441ea6fc3ddacaddb3b
                                                          • Instruction Fuzzy Hash: 85111E7600014CFFDF129F91DC88E9A7F6CEB04354F108021FA19AA161C7719D56DFA0
                                                          Function 00EB51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 00EB5218
                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00EB5229
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EB5230
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00EB5238
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EB524F
                                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EB5261
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: 2c80379221d62acdb4e67cee341e9ba5841c3c446c63351a1c6af0751c386406
                                                          • Instruction ID: 9dd36b562e9cfd89280ed62621826e3cae1e2d973816253dc5f79bf1b6530ce7
                                                          • Opcode Fuzzy Hash: 2c80379221d62acdb4e67cee341e9ba5841c3c446c63351a1c6af0751c386406
                                                          • Instruction Fuzzy Hash: B1018475A01709BFEB109BE69C49B4FBFB8EB48751F144065FA04BB290D6709805CBA0
                                                          Function 00E51BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E51BF4
                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E51BFC
                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E51C07
                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E51C12
                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E51C1A
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E51C22
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: f7abc0b5432005182d6ee19a6837458800b770d1a6e89a61fced5ee88a084b1a
                                                          • Instruction ID: 4bd07c505fc6152e2a72befa4e94deed2dafa5055ef939384593b5aa101c9202
                                                          • Opcode Fuzzy Hash: f7abc0b5432005182d6ee19a6837458800b770d1a6e89a61fced5ee88a084b1a
                                                          • Instruction Fuzzy Hash: DF0148B090275A7DE3008F5A8C85A52FFA8FF19754F00411BA15C4B941C7B5A864CBE5
                                                          Function 00EBEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EBEB30
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EBEB46
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00EBEB55
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EBEB64
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EBEB6E
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EBEB75
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: e99ccf42b0a0f1207e87163e70f8d6a5f719caad4ae023af9452bc65e78e2977
                                                          • Instruction ID: fb362756c8ccb6d0472a3812f52b158c4808e1ac3a46eeca84db2d18df5f1509
                                                          • Opcode Fuzzy Hash: e99ccf42b0a0f1207e87163e70f8d6a5f719caad4ae023af9452bc65e78e2977
                                                          • Instruction Fuzzy Hash: 17F01D72141199BFE62157539C4DEEB3A7CEBCAF11F100158FA01E519196A05A0686B5
                                                          Function 00EA7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?), ref: 00EA7452
                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00EA7469
                                                          • GetWindowDC.USER32(?), ref: 00EA7475
                                                          • GetPixel.GDI32(00000000,?,?), ref: 00EA7484
                                                          • ReleaseDC.USER32(?,00000000), ref: 00EA7496
                                                          • GetSysColor.USER32(00000005), ref: 00EA74B0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                          • String ID:
                                                          • API String ID: 272304278-0
                                                          • Opcode ID: 83d1126d0018de87e8ba3be9cb84d612bf9e2577d56319639663863281f9c2ae
                                                          • Instruction ID: d71c6d1bb49cf4817cb709288b96d9983b87550964610fa91877a7dd716878ed
                                                          • Opcode Fuzzy Hash: 83d1126d0018de87e8ba3be9cb84d612bf9e2577d56319639663863281f9c2ae
                                                          • Instruction Fuzzy Hash: BB018B31400259EFDB109F65DC48BEA7FB6FB08311F200064F926BA0A1CB312E46AB51
                                                          Function 00EB1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EB187F
                                                          • UnloadUserProfile.USERENV(?,?), ref: 00EB188B
                                                          • CloseHandle.KERNEL32(?), ref: 00EB1894
                                                          • CloseHandle.KERNEL32(?), ref: 00EB189C
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00EB18A5
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB18AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: 5914b96b7e0c6bef9d5ec940109fa0cc983be61365699ad7a185f0cbd4e75a52
                                                          • Instruction ID: 5d9951eeaec6bd5f62880e1c24895cef3d105e60d16baed837a8355ee013ae8e
                                                          • Opcode Fuzzy Hash: 5914b96b7e0c6bef9d5ec940109fa0cc983be61365699ad7a185f0cbd4e75a52
                                                          • Instruction Fuzzy Hash: 0DE0E536004249BFDB015FA2ED4C90ABF39FF4AB22B208221F625A9071CB329466DF50
                                                          Function 00ED7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E70242: EnterCriticalSection.KERNEL32(00F2070C,00F21884,?,?,00E6198B,00F22518,?,?,?,00E512F9,00000000), ref: 00E7024D
                                                            • Part of subcall function 00E70242: LeaveCriticalSection.KERNEL32(00F2070C,?,00E6198B,00F22518,?,?,?,00E512F9,00000000), ref: 00E7028A
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00E700A3: __onexit.LIBCMT ref: 00E700A9
                                                          • __Init_thread_footer.LIBCMT ref: 00ED7BFB
                                                            • Part of subcall function 00E701F8: EnterCriticalSection.KERNEL32(00F2070C,?,?,00E68747,00F22514), ref: 00E70202
                                                            • Part of subcall function 00E701F8: LeaveCriticalSection.KERNEL32(00F2070C,?,00E68747,00F22514), ref: 00E70235
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                          • String ID: +T$5$G$Variable must be of type 'Object'.
                                                          • API String ID: 535116098-4125810065
                                                          • Opcode ID: 812d57b9c65693e647c45b48aa1486a40f13f54a36b46a3277bafe4e1b32591e
                                                          • Instruction ID: 5ade63db700016c69ba50ef18262055b84726197d74c380c961b9815b8ee4ccf
                                                          • Opcode Fuzzy Hash: 812d57b9c65693e647c45b48aa1486a40f13f54a36b46a3277bafe4e1b32591e
                                                          • Instruction Fuzzy Hash: E5916C70A04209EFCB14EF54D8919ADB7B2EF49304F14905AF8867B392EB71AE46CB51
                                                          Function 00EBC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E57620: _wcslen.LIBCMT ref: 00E57625
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EBC6EE
                                                          • _wcslen.LIBCMT ref: 00EBC735
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EBC79C
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EBC7CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                          • String ID: 0
                                                          • API String ID: 1227352736-4108050209
                                                          • Opcode ID: edd3efe855c0c774619e6942780fd40761466bb1a1f9db45baecd4c0e5b6e821
                                                          • Instruction ID: cdeae516628ec16d71cc2065c74640ef0e16e9cb044419a6fce450edc9e54ca2
                                                          • Opcode Fuzzy Hash: edd3efe855c0c774619e6942780fd40761466bb1a1f9db45baecd4c0e5b6e821
                                                          • Instruction Fuzzy Hash: A551EF716083119BD7149F38D885BEB77E8AF89718F242A2EF995F31A0DB60D844CB52
                                                          Function 00EDAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00EDAEA3
                                                            • Part of subcall function 00E57620: _wcslen.LIBCMT ref: 00E57625
                                                          • GetProcessId.KERNEL32(00000000), ref: 00EDAF38
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EDAF67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                          • String ID: <$@
                                                          • API String ID: 146682121-1426351568
                                                          • Opcode ID: 881eed44f7133214c3387467c02456974c8c1f7257ae9a54c0e563f9bd2a2f7d
                                                          • Instruction ID: e3dfeeac6675f924ec186cd9f8f7361ad69c4ae699d7ccad2be7155012680b4b
                                                          • Opcode Fuzzy Hash: 881eed44f7133214c3387467c02456974c8c1f7257ae9a54c0e563f9bd2a2f7d
                                                          • Instruction Fuzzy Hash: 58716A71A00215DFCB14DF54D484A9EBBF1EF08314F0898AAE856BB352C774EE46CB91
                                                          Function 00EB719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EB7206
                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EB723C
                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EB724D
                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EB72CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                          • String ID: DllGetClassObject
                                                          • API String ID: 753597075-1075368562
                                                          • Opcode ID: 8c640bfe77dc33c5ba308314d26eeb02cc676869b2dafb379be3e596ddd8130d
                                                          • Instruction ID: cde013dc97e24d5f5cbb81e7ff87b5b47ef50dcce3aef97d3096097441b44a72
                                                          • Opcode Fuzzy Hash: 8c640bfe77dc33c5ba308314d26eeb02cc676869b2dafb379be3e596ddd8130d
                                                          • Instruction Fuzzy Hash: F3416EB1A04204AFDB15CF54C884ADB7BB9EF84314F2490ADFD45AF61AD7B0DA45CBA0
                                                          Function 00EE3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE3E35
                                                          • IsMenu.USER32(?), ref: 00EE3E4A
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EE3E92
                                                          • DrawMenuBar.USER32 ref: 00EE3EA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$DrawInfoInsert
                                                          • String ID: 0
                                                          • API String ID: 3076010158-4108050209
                                                          • Opcode ID: 92860f8b89470bacd073b7ea512d5f87e9749fa1a610d5dff7516d86e495daeb
                                                          • Instruction ID: 24ad664276495ad0ab648ed1ba97b1fd1cf1621466a7827d719d90272c6fbaec
                                                          • Opcode Fuzzy Hash: 92860f8b89470bacd073b7ea512d5f87e9749fa1a610d5dff7516d86e495daeb
                                                          • Instruction Fuzzy Hash: A0415775A0034DAFDB24DF62D888AEABBB9FF49354F045129F905AB260D730AE45CF50
                                                          Function 00EB1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EB1E66
                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EB1E79
                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00EB1EA9
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen$ClassName
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 2081771294-1403004172
                                                          • Opcode ID: c41ce90c9d1341f7c3cd34ab14e2524dc51a129ee51fd715fe4133f997c0ce60
                                                          • Instruction ID: d649de8f4cfb3c74d18dbbb8a5d977b44eb3ef8b88835794f294b3f6894bfa7e
                                                          • Opcode Fuzzy Hash: c41ce90c9d1341f7c3cd34ab14e2524dc51a129ee51fd715fe4133f997c0ce60
                                                          • Instruction Fuzzy Hash: 9B212771A00108BEDB14ABA4DC96CFFBBF9DF45364B606519FC25B71E1DB34890A9620
                                                          Function 00EE2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EE2F8D
                                                          • LoadLibraryW.KERNEL32(?), ref: 00EE2F94
                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EE2FA9
                                                          • DestroyWindow.USER32(?), ref: 00EE2FB1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                          • String ID: SysAnimate32
                                                          • API String ID: 3529120543-1011021900
                                                          • Opcode ID: 189a2aad17981d5b10cd0254a0912632c971c2ba82288801a5c490521c03fb0f
                                                          • Instruction ID: bd41e19efaee3e34255222b2f5bd9ab81b2d35dc6d638451a3623b2b9ead31cd
                                                          • Opcode Fuzzy Hash: 189a2aad17981d5b10cd0254a0912632c971c2ba82288801a5c490521c03fb0f
                                                          • Instruction Fuzzy Hash: 61218B72600289ABEB204F669C81EBB37BDEB59368F10661CFA50F6190D771DC51D760
                                                          Function 00E74D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E74D1E,00E828E9,(,00E74CBE,00000000,00F188B8,0000000C,00E74E15,(,00000002), ref: 00E74D8D
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E74DA0
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00E74D1E,00E828E9,(,00E74CBE,00000000,00F188B8,0000000C,00E74E15,(,00000002,00000000), ref: 00E74DC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 67289a73891dc4a9b896c059dd955bbcfa2b3d90aff1d85afdcdeadb0594c6b9
                                                          • Instruction ID: 7bfd107ee8cccc86067a09debe119fe2ac803bcb3823bcd8e9e7b1215b0c1950
                                                          • Opcode Fuzzy Hash: 67289a73891dc4a9b896c059dd955bbcfa2b3d90aff1d85afdcdeadb0594c6b9
                                                          • Instruction Fuzzy Hash: 94F0AF30A4030CBFDB11AF91DC49BADBBB5EF04712F1040A8F909B62A0CB309945CB91
                                                          Function 00E54E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E54EDD,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54E9C
                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E54EAE
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00E54EDD,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54EC0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                          • API String ID: 145871493-3689287502
                                                          • Opcode ID: 068edb58c4920a695d6a656de85372f6e4b4ab5f6458e7c6029280bdc97705d6
                                                          • Instruction ID: ae1dc246b42b7d0068053665cfcd35307353e3e8084528468705496ce7e65b43
                                                          • Opcode Fuzzy Hash: 068edb58c4920a695d6a656de85372f6e4b4ab5f6458e7c6029280bdc97705d6
                                                          • Instruction Fuzzy Hash: 97E08635A026265F922117266C19A5B6564AF82F6B7151515FD00FB140DF60CD4A40A2
                                                          Function 00E54E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E93CDE,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54E62
                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E54E74
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00E93CDE,?,00F21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E54E87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                          • API String ID: 145871493-1355242751
                                                          • Opcode ID: d727f9d3273dc41d5a32345c0277f97c6de63197a73745d80476b60db8a103c6
                                                          • Instruction ID: 152527f8b135f364e22c120c95547072a1625465edd7ac3e654aa004070eb68b
                                                          • Opcode Fuzzy Hash: d727f9d3273dc41d5a32345c0277f97c6de63197a73745d80476b60db8a103c6
                                                          • Instruction Fuzzy Hash: 22D0C2319036665B47221B266C19D8B2A28AF81F1A3151914BC00BA154CF20CD4A81D1
                                                          Function 00EC2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EC2C05
                                                          • DeleteFileW.KERNEL32(?), ref: 00EC2C87
                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EC2C9D
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EC2CAE
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EC2CC0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$Copy
                                                          • String ID:
                                                          • API String ID: 3226157194-0
                                                          • Opcode ID: 45c21c7cfc1d3f3bf29bec7736e476fcb8cf9408adc0c9d3a7a49da4c8b32d8a
                                                          • Instruction ID: 7f1e17f90ef8ac3dbc182aaf2f0d53d18f9428c39381e7a0998449cac38c2ea9
                                                          • Opcode Fuzzy Hash: 45c21c7cfc1d3f3bf29bec7736e476fcb8cf9408adc0c9d3a7a49da4c8b32d8a
                                                          • Instruction Fuzzy Hash: 9CB16D72D0011DABDF21DBA4CD85EDEBBBDEF08350F1050AAFA09F6151EA319A458F61
                                                          Function 00EDA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 00EDA427
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EDA435
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EDA468
                                                          • CloseHandle.KERNEL32(?), ref: 00EDA63D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                          • String ID:
                                                          • API String ID: 3488606520-0
                                                          • Opcode ID: 104a18f41a6b23e93f9fec7c699c0690626aea9d02f844eaccedbcce0494adf2
                                                          • Instruction ID: 85122ceac5fefcc57696ef7527f7c1f8ff274583d832ee8bc94c5fb9fd6f9171
                                                          • Opcode Fuzzy Hash: 104a18f41a6b23e93f9fec7c699c0690626aea9d02f844eaccedbcce0494adf2
                                                          • Instruction Fuzzy Hash: 67A1A1716043009FD720DF24D882F2AB7E5AF84714F18A85DF969AB392DB70ED45CB92
                                                          Function 00E8BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EF3700), ref: 00E8BB91
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00F2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E8BC09
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00F21270,000000FF,?,0000003F,00000000,?), ref: 00E8BC36
                                                          • _free.LIBCMT ref: 00E8BB7F
                                                            • Part of subcall function 00E829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000), ref: 00E829DE
                                                            • Part of subcall function 00E829C8: GetLastError.KERNEL32(00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000,00000000), ref: 00E829F0
                                                          • _free.LIBCMT ref: 00E8BD4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: ca63c4965f1244056ab75d6db0531c51541ea010551282f15358a1073cdcaee2
                                                          • Instruction ID: 9f770701e6664dd392be8a4d5b310add8b23af9d1f9fde6cd257530f4b9d938b
                                                          • Opcode Fuzzy Hash: ca63c4965f1244056ab75d6db0531c51541ea010551282f15358a1073cdcaee2
                                                          • Instruction Fuzzy Hash: 3351C47190020DEFDB20FF699C819AEB7B8BF50314B10526AF56CF7191EB709E419B94
                                                          Function 00EBE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EBDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EBCF22,?), ref: 00EBDDFD
                                                            • Part of subcall function 00EBDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EBCF22,?), ref: 00EBDE16
                                                            • Part of subcall function 00EBE199: GetFileAttributesW.KERNEL32(?,00EBCF95), ref: 00EBE19A
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00EBE473
                                                          • MoveFileW.KERNEL32(?,?), ref: 00EBE4AC
                                                          • _wcslen.LIBCMT ref: 00EBE5EB
                                                          • _wcslen.LIBCMT ref: 00EBE603
                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EBE650
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                          • String ID:
                                                          • API String ID: 3183298772-0
                                                          • Opcode ID: 52661fc07e06cd69f8cb13f8ce6a79893e428413d4fe8fbe1bf967df1d5089fc
                                                          • Instruction ID: 59f3663cdc4cf3a488dbd35a18905debe7899460816cc8fcffd9e9518d2fc54c
                                                          • Opcode Fuzzy Hash: 52661fc07e06cd69f8cb13f8ce6a79893e428413d4fe8fbe1bf967df1d5089fc
                                                          • Instruction Fuzzy Hash: E85197B24083859BC724DBA4DC819DFB3ECAF84344F10591EF589E3292EF74A58C8756
                                                          Function 00EDB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDB6AE,?,?), ref: 00EDC9B5
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDC9F1
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA68
                                                            • Part of subcall function 00EDC998: _wcslen.LIBCMT ref: 00EDCA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EDBAA5
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EDBB00
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EDBB63
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00EDBBA6
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EDBBB3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                          • String ID:
                                                          • API String ID: 826366716-0
                                                          • Opcode ID: 418e38ec8e086bfd5468b82fc84886f0d5ff23d58aa7f3e6de15dc7c8d9d23d9
                                                          • Instruction ID: 4b34e049e79ded2bca99b04b0c9b56ac8564cbf07bef9549ed4e3a1bec879f55
                                                          • Opcode Fuzzy Hash: 418e38ec8e086bfd5468b82fc84886f0d5ff23d58aa7f3e6de15dc7c8d9d23d9
                                                          • Instruction Fuzzy Hash: 38619D31208241EFC714DF14C490E6ABBE5FF84308F55995EF4999B2A2DB31ED4ACB92
                                                          Function 00EB8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00EB8BCD
                                                          • VariantClear.OLEAUT32 ref: 00EB8C3E
                                                          • VariantClear.OLEAUT32 ref: 00EB8C9D
                                                          • VariantClear.OLEAUT32(?), ref: 00EB8D10
                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EB8D3B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$Clear$ChangeInitType
                                                          • String ID:
                                                          • API String ID: 4136290138-0
                                                          • Opcode ID: 8745c84e48939c06edb2be1142e21efc12655f3e3f0f051291a464e6a1307c9f
                                                          • Instruction ID: 18944c3b5d84322463d2b386ab800555ea1d6aa78d00509bbc22cce28673ed1d
                                                          • Opcode Fuzzy Hash: 8745c84e48939c06edb2be1142e21efc12655f3e3f0f051291a464e6a1307c9f
                                                          • Instruction Fuzzy Hash: 6D5159B5A00219EFCB14CF58C894AAAB7F9FF89314B15855AF915EB350E730E911CF90
                                                          Function 00EC8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EC8BAE
                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EC8BDA
                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EC8C32
                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EC8C57
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EC8C5F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String
                                                          • String ID:
                                                          • API String ID: 2832842796-0
                                                          • Opcode ID: 5918ffb32dbe1e848d49c4094745243306537ab4f9b995a3bad0e1347913cdcd
                                                          • Instruction ID: d8bd167610ceffe55e6e9ca06f9eb4752b58a6b143f300bed3b6183c06bc842c
                                                          • Opcode Fuzzy Hash: 5918ffb32dbe1e848d49c4094745243306537ab4f9b995a3bad0e1347913cdcd
                                                          • Instruction Fuzzy Hash: D8516B35A002189FCB04DF65C980E6DBBF5FF48314F089458E849AB362DB31ED56CB91
                                                          Function 00ED8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00ED8F40
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00ED8FD0
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00ED8FEC
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00ED9032
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00ED9052
                                                            • Part of subcall function 00E6F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EC1043,?,7529E610), ref: 00E6F6E6
                                                            • Part of subcall function 00E6F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00EAFA64,00000000,00000000,?,?,00EC1043,?,7529E610,?,00EAFA64), ref: 00E6F70D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                          • String ID:
                                                          • API String ID: 666041331-0
                                                          • Opcode ID: 9a6dcae6eaaddd9a9251338a07d5be6cbceed7749b567d1fb2dbf0169de8dfa4
                                                          • Instruction ID: 7fefec1f9382997468d5fa0428449088a8b065445998fd6d88bdf7a1fe3b3b80
                                                          • Opcode Fuzzy Hash: 9a6dcae6eaaddd9a9251338a07d5be6cbceed7749b567d1fb2dbf0169de8dfa4
                                                          • Instruction Fuzzy Hash: 19514C35605209DFC715DF68C4848ADBBF1FF49318B149499E816AF362DB31ED8ACB90
                                                          Function 00EE6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00EE6C33
                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00EE6C4A
                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00EE6C73
                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00ECAB79,00000000,00000000), ref: 00EE6C98
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00EE6CC7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MessageSendShow
                                                          • String ID:
                                                          • API String ID: 3688381893-0
                                                          • Opcode ID: d412a41ced1664f98cb87c1df5c300854a8c89190a2a70f1da0947d9d14358bb
                                                          • Instruction ID: 3e6f3300b2ee43799a3ebddb8e8c376f58256eb8be19333e11d7a313c38b135f
                                                          • Opcode Fuzzy Hash: d412a41ced1664f98cb87c1df5c300854a8c89190a2a70f1da0947d9d14358bb
                                                          • Instruction Fuzzy Hash: 4241D43560018CAFDB24CF2ACC94FA5BBA5EB19394F241228FC95BB3E0C371AD41DA40
                                                          Function 00E82051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 7a33da031019189edb86436ed5a27d07a492e584940efdf2b48c8b3a2844f044
                                                          • Instruction ID: 283653bb9d8c683c26fa6fd39c8bf5ccc48f3cf4dd5d650af9722a79d7e468c9
                                                          • Opcode Fuzzy Hash: 7a33da031019189edb86436ed5a27d07a492e584940efdf2b48c8b3a2844f044
                                                          • Instruction Fuzzy Hash: D741D372A002049FCB24EF78C884A5DB7E5EF88714F2645ACE61DFB391D631AD01CB80
                                                          Function 00E6912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00E69141
                                                          • ScreenToClient.USER32(00000000,?), ref: 00E6915E
                                                          • GetAsyncKeyState.USER32(00000001), ref: 00E69183
                                                          • GetAsyncKeyState.USER32(00000002), ref: 00E6919D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorScreen
                                                          • String ID:
                                                          • API String ID: 4210589936-0
                                                          • Opcode ID: 480e9d4e7b54d5ab4f35f59747fee2056578c538060128f3c45f346bb7d9f68d
                                                          • Instruction ID: 8293d7f3eebc86747520b190ca84ac71d0718060f6b839714371482d1cabedef
                                                          • Opcode Fuzzy Hash: 480e9d4e7b54d5ab4f35f59747fee2056578c538060128f3c45f346bb7d9f68d
                                                          • Instruction Fuzzy Hash: E7419F31A0861AFBDF05DF68D844BEEB7B8FB0A364F209219E465B72D1C7306954CB91
                                                          Function 00EC3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetInputState.USER32 ref: 00EC38CB
                                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EC3922
                                                          • TranslateMessage.USER32(?), ref: 00EC394B
                                                          • DispatchMessageW.USER32(?), ref: 00EC3955
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EC3966
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                          • String ID:
                                                          • API String ID: 2256411358-0
                                                          • Opcode ID: d6ffcdf278f5fba6498a0023cc112772fb6274882e0f8ff32cd65368c1ab8a71
                                                          • Instruction ID: 42f662bdbe90df5e9dcafe0e342fe1b89aea9dceb5b23484f0d74828628e7e8a
                                                          • Opcode Fuzzy Hash: d6ffcdf278f5fba6498a0023cc112772fb6274882e0f8ff32cd65368c1ab8a71
                                                          • Instruction Fuzzy Hash: 79312B705043859EEB34CB34DA48FF637A4BB51308F14912DE452E21D4D3B29A87DB11
                                                          Function 00ECCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00ECC21E,00000000), ref: 00ECCF38
                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00ECCF6F
                                                          • GetLastError.KERNEL32(?,00000000,?,?,?,00ECC21E,00000000), ref: 00ECCFB4
                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00ECC21E,00000000), ref: 00ECCFC8
                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00ECC21E,00000000), ref: 00ECCFF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                          • String ID:
                                                          • API String ID: 3191363074-0
                                                          • Opcode ID: 17059144685bdd1fe73a123c3c35aef40f573ba9f36d067db5b1aa1dac7835f7
                                                          • Instruction ID: 0897cef9887a3981c0b5f2a25a847efb79ce15a0ec2ba002a3d1b5426affc1ec
                                                          • Opcode Fuzzy Hash: 17059144685bdd1fe73a123c3c35aef40f573ba9f36d067db5b1aa1dac7835f7
                                                          • Instruction Fuzzy Hash: C4318071A00249EFDB20DFA5D984EABBBF9EB04354B20542EF51AF6110D731ED46DB60
                                                          Function 00EB1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00EB1915
                                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 00EB19C1
                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 00EB19C9
                                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 00EB19DA
                                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EB19E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: ebb4d1ca19d76e2e7d955d020debdd68deacadf015c9415d2fd6f8c4a6d3b471
                                                          • Instruction ID: de51674beddaed8e213db0dd08c095569382a381af32e81fd2452d7437b6fbee
                                                          • Opcode Fuzzy Hash: ebb4d1ca19d76e2e7d955d020debdd68deacadf015c9415d2fd6f8c4a6d3b471
                                                          • Instruction Fuzzy Hash: 4931C271900299EFCB04CFA8CDA9ADF3BB5EB45325F105265F921BB2D1C7709944CB91
                                                          Function 00EE5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EE5745
                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00EE579D
                                                          • _wcslen.LIBCMT ref: 00EE57AF
                                                          • _wcslen.LIBCMT ref: 00EE57BA
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EE5816
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen
                                                          • String ID:
                                                          • API String ID: 763830540-0
                                                          • Opcode ID: 9bb718d553cc48d4680555bba5815770fed7435ec8d5d17cbd1c23052db2fd55
                                                          • Instruction ID: 74ed3461afe51b54887213df03ac44ba1042b3500f0921fe45536b2981ab8c37
                                                          • Opcode Fuzzy Hash: 9bb718d553cc48d4680555bba5815770fed7435ec8d5d17cbd1c23052db2fd55
                                                          • Instruction Fuzzy Hash: B421937290469DDADB208F62CC84AEE77B8FF44728F109216F929FA1C1D7708985CF51
                                                          Function 00ED0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 00ED0951
                                                          • GetForegroundWindow.USER32 ref: 00ED0968
                                                          • GetDC.USER32(00000000), ref: 00ED09A4
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00ED09B0
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 00ED09E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: 79f9750b851ba0f486a00e452b57f4f4ba026f9f4f8c0fb13f97245a54e720e6
                                                          • Instruction ID: 8492276b1ed5b6a5b0a9556d881632925b834e23df72fde2af68728730ca3518
                                                          • Opcode Fuzzy Hash: 79f9750b851ba0f486a00e452b57f4f4ba026f9f4f8c0fb13f97245a54e720e6
                                                          • Instruction Fuzzy Hash: D2216235600204AFD704EF65C994A9EB7E9EF84701F14846DF856E7352DB30AC05CB90
                                                          Function 00E8CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00E8CDC6
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E8CDE9
                                                            • Part of subcall function 00E83820: RtlAllocateHeap.NTDLL(00000000,?,00F21444,?,00E6FDF5,?,?,00E5A976,00000010,00F21440,00E513FC,?,00E513C6,?,00E51129), ref: 00E83852
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E8CE0F
                                                          • _free.LIBCMT ref: 00E8CE22
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E8CE31
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: ff962ae601fbbce2c4b1a6fd8f97862b99f0fb34427f770ad4b9cffdeeeca560
                                                          • Instruction ID: 21821ce4a9a7438a9d8aa2ccddf07392afb1e5aa61aa193963fce9a912d0b16a
                                                          • Opcode Fuzzy Hash: ff962ae601fbbce2c4b1a6fd8f97862b99f0fb34427f770ad4b9cffdeeeca560
                                                          • Instruction Fuzzy Hash: 650171726022557F232136B66C88D7B7A6DDBC7BA53355129F90DF6241EA718D0283B0
                                                          Function 00E69639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E69693
                                                          • SelectObject.GDI32(?,00000000), ref: 00E696A2
                                                          • BeginPath.GDI32(?), ref: 00E696B9
                                                          • SelectObject.GDI32(?,00000000), ref: 00E696E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 32b7a0c0642e46324c57c05d4961e17fed0d378d7dc7103b85d05283bde17956
                                                          • Instruction ID: a1a4785e00bc9bedab4f80c6e1349c912514db6f4953fb19efd34bc4d73af24c
                                                          • Opcode Fuzzy Hash: 32b7a0c0642e46324c57c05d4961e17fed0d378d7dc7103b85d05283bde17956
                                                          • Instruction Fuzzy Hash: BD218070842349EFDB219F25EC447AD3BB8BB21399F100216F410B61B2D370589BEF99
                                                          Function 00EB5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 8fb0d754841fbf05659978db9d0d097140d181764f208d0967e7b3d349644208
                                                          • Instruction ID: 7f96a6482f169826fd6b677316188617766ac968a95de68dad3504ea8bf65232
                                                          • Opcode Fuzzy Hash: 8fb0d754841fbf05659978db9d0d097140d181764f208d0967e7b3d349644208
                                                          • Instruction Fuzzy Hash: AF01B973741719FBE20855159E42FFB739C9B2139CF206062FD08BA241FB60EE2182A4
                                                          Function 00E82DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00E7F2DE,00E83863,00F21444,?,00E6FDF5,?,?,00E5A976,00000010,00F21440,00E513FC,?,00E513C6), ref: 00E82DFD
                                                          • _free.LIBCMT ref: 00E82E32
                                                          • _free.LIBCMT ref: 00E82E59
                                                          • SetLastError.KERNEL32(00000000,00E51129), ref: 00E82E66
                                                          • SetLastError.KERNEL32(00000000,00E51129), ref: 00E82E6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: 520467fde77cdde77a1512092ca6d446c23f69045d81754b28702d3e0e93fbd9
                                                          • Instruction ID: 162f2e98842363ecbed7815ee1d5a1036197a3b5486470b72b8cf4d59c84d3bb
                                                          • Opcode Fuzzy Hash: 520467fde77cdde77a1512092ca6d446c23f69045d81754b28702d3e0e93fbd9
                                                          • Instruction Fuzzy Hash: 41012D322456047BC61337356C85D6B259DABC1775B31602CF62DB21E2EF34CC065324
                                                          Function 00EB000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?,?,00EB035E), ref: 00EB002B
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?), ref: 00EB0046
                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?), ref: 00EB0054
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?), ref: 00EB0064
                                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EAFF41,80070057,?,?), ref: 00EB0070
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                          • String ID:
                                                          • API String ID: 3897988419-0
                                                          • Opcode ID: 9fea42cdcec42a9488f2ccbac0938c7c2aaa0c0be1ce14cd1932afa7a2acb8d3
                                                          • Instruction ID: 6b7588ac4be8e29ca4191f7e2d9ac57d05686ea791709716366d1c20bf3b2aa1
                                                          • Opcode Fuzzy Hash: 9fea42cdcec42a9488f2ccbac0938c7c2aaa0c0be1ce14cd1932afa7a2acb8d3
                                                          • Instruction Fuzzy Hash: 2901F272600208BFDB165F69DC44BEB7AEDEF44391F205424F901F6210D770ED059BA0
                                                          Function 00EBE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00EBE997
                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00EBE9A5
                                                          • Sleep.KERNEL32(00000000), ref: 00EBE9AD
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00EBE9B7
                                                          • Sleep.KERNEL32 ref: 00EBE9F3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: d7507756bb5b303246022a930781bb2570e05bc0d6c42ffd9e53fd2d85a04b62
                                                          • Instruction ID: efb8316b9445a12d84ec1d7c41a4a576e15b8ded4f693b3880683eabc1d6e460
                                                          • Opcode Fuzzy Hash: d7507756bb5b303246022a930781bb2570e05bc0d6c42ffd9e53fd2d85a04b62
                                                          • Instruction Fuzzy Hash: 9B019E31C0262DDBCF04AFE6DC99AEEBB78FF49301F101586E542B2240DB30A559CBA1
                                                          Function 00EB10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EB1114
                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB1120
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB112F
                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EB0B9B,?,?,?), ref: 00EB1136
                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EB114D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 842720411-0
                                                          • Opcode ID: 865ffe2a938469df098f4faaeeabf57af0a6cd5d50a29473573028d1515c93ab
                                                          • Instruction ID: 484707e259a62793213dedf6529b6bb470c01c12d80195c6ab42b7848ecab1dd
                                                          • Opcode Fuzzy Hash: 865ffe2a938469df098f4faaeeabf57af0a6cd5d50a29473573028d1515c93ab
                                                          • Instruction Fuzzy Hash: F1016D75101209BFDB114F69DC89AAB3B6EEF86364B200459FA41E7350DA31DC418A60
                                                          Function 00EB0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EB0FCA
                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EB0FD6
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EB0FE5
                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EB0FEC
                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EB1002
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: d847742ae17fb7e0013814fdf808812e0dfc754d8291529c3a2d2c9affa99b0b
                                                          • Instruction ID: 26c56079401da2d10659a32efa5011c761da33014e61b6a9557a836fc52f75f3
                                                          • Opcode Fuzzy Hash: d847742ae17fb7e0013814fdf808812e0dfc754d8291529c3a2d2c9affa99b0b
                                                          • Instruction Fuzzy Hash: 78F0AF35100349AFD7211FA5AC8DF973B6EEF8A761F600458FD05EA250CA30DC418A60
                                                          Function 00EB1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EB102A
                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EB1036
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB1045
                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB104C
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB1062
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 6b006006c980159137f8f130b795481bde6865253079a9d2f49bf6a8513255f3
                                                          • Instruction ID: fe21861ab6a1baf5473919f9dcc6f512fcc789ed46f7ef9fb80a989a64c76b90
                                                          • Opcode Fuzzy Hash: 6b006006c980159137f8f130b795481bde6865253079a9d2f49bf6a8513255f3
                                                          • Instruction Fuzzy Hash: 1EF0C235100345EFD7211FA5EC98F973B6DEF8A761F200414FD05EB250CA30D8419A60
                                                          Function 00EC030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,?,?,?,00EC017D,?,00EC32FC,?,00000001,00E92592,?), ref: 00EC0324
                                                          • CloseHandle.KERNEL32(?,?,?,?,00EC017D,?,00EC32FC,?,00000001,00E92592,?), ref: 00EC0331
                                                          • CloseHandle.KERNEL32(?,?,?,?,00EC017D,?,00EC32FC,?,00000001,00E92592,?), ref: 00EC033E
                                                          • CloseHandle.KERNEL32(?,?,?,?,00EC017D,?,00EC32FC,?,00000001,00E92592,?), ref: 00EC034B
                                                          • CloseHandle.KERNEL32(?,?,?,?,00EC017D,?,00EC32FC,?,00000001,00E92592,?), ref: 00EC0358
                                                          • CloseHandle.KERNEL32(?,?,?,?,00EC017D,?,00EC32FC,?,00000001,00E92592,?), ref: 00EC0365
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 7677a1ac30db79aa6df2b369bc0ae74dc1cf58dd9b4f22046bb606efdb54bb3f
                                                          • Instruction ID: ea9ecc59c529aa082c787fd3c02a89bc0192b6413df051fe42027a55106eb894
                                                          • Opcode Fuzzy Hash: 7677a1ac30db79aa6df2b369bc0ae74dc1cf58dd9b4f22046bb606efdb54bb3f
                                                          • Instruction Fuzzy Hash: 2501A272800B55DFCB309F6AD980916FBF9BF503193159A3FD19662931C372A95ACF80
                                                          Function 00E8D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00E8D752
                                                            • Part of subcall function 00E829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000), ref: 00E829DE
                                                            • Part of subcall function 00E829C8: GetLastError.KERNEL32(00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000,00000000), ref: 00E829F0
                                                          • _free.LIBCMT ref: 00E8D764
                                                          • _free.LIBCMT ref: 00E8D776
                                                          • _free.LIBCMT ref: 00E8D788
                                                          • _free.LIBCMT ref: 00E8D79A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 643da0f190faa87a61b4c33ec694aeb61b79cf167c82090c9410fade909ae6a8
                                                          • Instruction ID: 247b8582086681b2e1b13488d03a954467b6809c45feea9fb370f65df190a4bc
                                                          • Opcode Fuzzy Hash: 643da0f190faa87a61b4c33ec694aeb61b79cf167c82090c9410fade909ae6a8
                                                          • Instruction Fuzzy Hash: 8BF01232588208AB8625FB68FDC5C567BEDBB44724796680AF14CF7541C735FC8087A4
                                                          Function 00EB5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00EB5C58
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00EB5C6F
                                                          • MessageBeep.USER32(00000000), ref: 00EB5C87
                                                          • KillTimer.USER32(?,0000040A), ref: 00EB5CA3
                                                          • EndDialog.USER32(?,00000001), ref: 00EB5CBD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: f3793cd11f8379bb93d7d897bfeb569f9f474e346edca22bc9bb4a915e3cf6db
                                                          • Instruction ID: 63395b9a7fdb5d552fa10194226ce0ea632c32addf58c215c427f38555e4c933
                                                          • Opcode Fuzzy Hash: f3793cd11f8379bb93d7d897bfeb569f9f474e346edca22bc9bb4a915e3cf6db
                                                          • Instruction Fuzzy Hash: 9A018631500B48AFEB215B11DD8EFE7BBB9BB00B05F041559B587B50E1DBF0A9898E90
                                                          Function 00E822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00E822BE
                                                            • Part of subcall function 00E829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000), ref: 00E829DE
                                                            • Part of subcall function 00E829C8: GetLastError.KERNEL32(00000000,?,00E8D7D1,00000000,00000000,00000000,00000000,?,00E8D7F8,00000000,00000007,00000000,?,00E8DBF5,00000000,00000000), ref: 00E829F0
                                                          • _free.LIBCMT ref: 00E822D0
                                                          • _free.LIBCMT ref: 00E822E3
                                                          • _free.LIBCMT ref: 00E822F4
                                                          • _free.LIBCMT ref: 00E82305
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: eef072a245f42cb928ccff8386001d9d56b5a832d6d9d3e1807b7431584a970f
                                                          • Instruction ID: 5109971ae70ffe283dc65f9762a497169a38475ee2c3c735cada314a9e6dd166
                                                          • Opcode Fuzzy Hash: eef072a245f42cb928ccff8386001d9d56b5a832d6d9d3e1807b7431584a970f
                                                          • Instruction Fuzzy Hash: 2FF05E718801288B8632BF54BC418493BA4F768760702250EF51CE22B2CB341853BFE8
                                                          Function 00E695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EndPath.GDI32(?), ref: 00E695D4
                                                          • StrokeAndFillPath.GDI32(?,?,00EA71F7,00000000,?,?,?), ref: 00E695F0
                                                          • SelectObject.GDI32(?,00000000), ref: 00E69603
                                                          • DeleteObject.GDI32 ref: 00E69616
                                                          • StrokePath.GDI32(?), ref: 00E69631
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: 150f9d9c118214bffda25a10f34fcda8b8c84020190fe5526779c466c7e8ca7f
                                                          • Instruction ID: 59890993bce9078863f253d9d642ea5743359dccb99bb2b6b9bc871f23bb3a28
                                                          • Opcode Fuzzy Hash: 150f9d9c118214bffda25a10f34fcda8b8c84020190fe5526779c466c7e8ca7f
                                                          • Instruction Fuzzy Hash: C3F0193004638CEFDB265F66ED58B683B65BB11366F149214F425690F1C730899BEF28
                                                          Function 00E80F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: __freea$_free
                                                          • String ID: a/p$am/pm
                                                          • API String ID: 3432400110-3206640213
                                                          • Opcode ID: 8aa8f7ee11109f728016ada44bbf8f5dd03f8ba88f34e54318ffe5130e986977
                                                          • Instruction ID: 788bd75a5fcc3f228628e40bbae732740031198bb5e02c90f5c0510be2bf65f3
                                                          • Opcode Fuzzy Hash: 8aa8f7ee11109f728016ada44bbf8f5dd03f8ba88f34e54318ffe5130e986977
                                                          • Instruction Fuzzy Hash: DBD10331900246CACB24BF68C849BFAB7B9FF06704F256199E90DBB650D3759D82CB91
                                                          Function 00E85AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JO
                                                          • API String ID: 0-1663374661
                                                          • Opcode ID: 3075e0e7b5686e7d78cd7cc1a65f9036f659364ad9649da750fd587136dd9631
                                                          • Instruction ID: be4c853c67db0ce22d435515378af9a064a4eb5da295c6b3112df8cbad70e236
                                                          • Opcode Fuzzy Hash: 3075e0e7b5686e7d78cd7cc1a65f9036f659364ad9649da750fd587136dd9631
                                                          • Instruction Fuzzy Hash: C151BD76D00A099FCB21BFA4CD45BEEBBF8AF45314F14205AF40DB72A2DA319901DB61
                                                          Function 00E88A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E88B6E
                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E88B7A
                                                          • __dosmaperr.LIBCMT ref: 00E88B81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                          • String ID: .
                                                          • API String ID: 2434981716-3963672497
                                                          • Opcode ID: 68d3b277a3df78d70822c3118b7dd4146f10214747a6977182852796cd8e8a14
                                                          • Instruction ID: 22d928b695f878037c5c58319225382df96c3b76c73ea5f33811a530c5f215c7
                                                          • Opcode Fuzzy Hash: 68d3b277a3df78d70822c3118b7dd4146f10214747a6977182852796cd8e8a14
                                                          • Instruction Fuzzy Hash: 82416E75604085AFD734AF64CA80ABD7FE6DFC5304B2891AAFC8DA7553DE318C029790
                                                          Function 00EB2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EBB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EB21D0,?,?,00000034,00000800,?,00000034), ref: 00EBB42D
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EB2760
                                                            • Part of subcall function 00EBB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EB21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EBB3F8
                                                            • Part of subcall function 00EBB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EBB355
                                                            • Part of subcall function 00EBB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EB2194,00000034,?,?,00001004,00000000,00000000), ref: 00EBB365
                                                            • Part of subcall function 00EBB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EB2194,00000034,?,?,00001004,00000000,00000000), ref: 00EBB37B
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EB27CD
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EB281A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: 31c6588e49614dd8ad1a98ff70a79fc75142935d4bed97848c50954d21b36e57
                                                          • Instruction ID: 774c7de46244e131a9ee6273a899964d5f5ee41e5d8403ef33f5869ca12ecc34
                                                          • Opcode Fuzzy Hash: 31c6588e49614dd8ad1a98ff70a79fc75142935d4bed97848c50954d21b36e57
                                                          • Instruction Fuzzy Hash: EF412D72900218AFDB10DFA4CD85AEFBBB8EF09700F105099FA55B7181DBB06E45CBA1
                                                          Function 00E8172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E81769
                                                          • _free.LIBCMT ref: 00E81834
                                                          • _free.LIBCMT ref: 00E8183E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Users\user\Desktop\file.exe
                                                          • API String ID: 2506810119-517116171
                                                          • Opcode ID: 8346edeba63e2f7ad9bf61a4e112e83b5ed66443d2b86ccbfa7f1fbb08664d1d
                                                          • Instruction ID: ed82655fadf15ce341e2a59242fb3b648b7e72ff373f208c0982ccca4e7459a6
                                                          • Opcode Fuzzy Hash: 8346edeba63e2f7ad9bf61a4e112e83b5ed66443d2b86ccbfa7f1fbb08664d1d
                                                          • Instruction Fuzzy Hash: D5319271A00258EFDB25EF99D881D9EBBFCEB95310F1051AAF80CE7211D6708E42DB90
                                                          Function 00EBC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EBC306
                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00EBC34C
                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F21990,017B6678), ref: 00EBC395
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem
                                                          • String ID: 0
                                                          • API String ID: 135850232-4108050209
                                                          • Opcode ID: 4a280e4a5e72923ff150709b8306a908711a8a237f8889c180999c7ba4e2cf2e
                                                          • Instruction ID: 56f449aeb8b4baf12dd80fa97cd6c6acf0145898e7cd375146abb83bec37da41
                                                          • Opcode Fuzzy Hash: 4a280e4a5e72923ff150709b8306a908711a8a237f8889c180999c7ba4e2cf2e
                                                          • Instruction Fuzzy Hash: 8141B2312083419FD720DF25D884F9BBBE4AF85314F249A6EF9A5A72D1D770E904CB62
                                                          Function 00EE4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EECC08,00000000,?,?,?,?), ref: 00EE44AA
                                                          • GetWindowLongW.USER32 ref: 00EE44C7
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EE44D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID: SysTreeView32
                                                          • API String ID: 847901565-1698111956
                                                          • Opcode ID: 827819b82c1ac545eb1451b6c12ee80a0c822f7dc18381d9f1db28e50cd741dd
                                                          • Instruction ID: 6cf6932fd7ccc4267e0ff2d8191c3b09c640ec91f38215db8db23fd850bec925
                                                          • Opcode Fuzzy Hash: 827819b82c1ac545eb1451b6c12ee80a0c822f7dc18381d9f1db28e50cd741dd
                                                          • Instruction Fuzzy Hash: C831AD71200289AFDB219E39DC45BEB77A9EB08338F205725F979A31D0D770EC559750
                                                          Function 00EB6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysReAllocString.OLEAUT32(?,?), ref: 00EB6EED
                                                          • VariantCopyInd.OLEAUT32(?,?), ref: 00EB6F08
                                                          • VariantClear.OLEAUT32(?), ref: 00EB6F12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$AllocClearCopyString
                                                          • String ID: *j
                                                          • API String ID: 2173805711-1845181700
                                                          • Opcode ID: b3f556e1c4876d9b717bf13c9d15c86c1dfcdbe89a6a6cbc57e840b84b4dcc3b
                                                          • Instruction ID: 3156678d1e9f7e124c0f3d59c18f34585123af06dde7b77664fb96e6ab90286b
                                                          • Opcode Fuzzy Hash: b3f556e1c4876d9b717bf13c9d15c86c1dfcdbe89a6a6cbc57e840b84b4dcc3b
                                                          • Instruction Fuzzy Hash: 0931A271704245DFCB06AFA4E8919FF37B6FF85305B1018A8F9126B2A1D7389916DBE0
                                                          Function 00ED304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00ED335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00ED3077,?,?), ref: 00ED3378
                                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00ED307A
                                                          • _wcslen.LIBCMT ref: 00ED309B
                                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00ED3106
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 946324512-2422070025
                                                          • Opcode ID: 13c1e54b005240bca7a76b297bc07efdc66c5f2af25e061d5f14a1ca3a92f196
                                                          • Instruction ID: 39645353a530e092613679d5ffe689e15555893b1024047d0e786e2a6623d712
                                                          • Opcode Fuzzy Hash: 13c1e54b005240bca7a76b297bc07efdc66c5f2af25e061d5f14a1ca3a92f196
                                                          • Instruction Fuzzy Hash: 1031D539200206DFC720CF78C585EAA77E0EF54318F24905AE915AB393D772EE46C762
                                                          Function 00EE3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EE3F40
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EE3F54
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EE3F78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: SysMonthCal32
                                                          • API String ID: 2326795674-1439706946
                                                          • Opcode ID: 16a1c1e3edaaaac9486d0b00bfb963fbbc08c76777554d90af4c72ac5a5bdc38
                                                          • Instruction ID: 4251fabad151bd8d061ca2f7249217257f314573ad575918dc0c1a2790066815
                                                          • Opcode Fuzzy Hash: 16a1c1e3edaaaac9486d0b00bfb963fbbc08c76777554d90af4c72ac5a5bdc38
                                                          • Instruction Fuzzy Hash: 7421AD32600259BFDF218FA1CC86FEA3BB6EF48718F111214FA157B1D0D6B1A955DB90
                                                          Function 00EE4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EE4705
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EE4713
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EE471A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: 83cf8ecb3546f2cf4463747b75d043a761e8100cc6c25dc713b47efebdec2b22
                                                          • Instruction ID: 395bb7872d9a6c2a46084ae9ea4c894106a6abf519976f47b1e6038f43f4e564
                                                          • Opcode Fuzzy Hash: 83cf8ecb3546f2cf4463747b75d043a761e8100cc6c25dc713b47efebdec2b22
                                                          • Instruction Fuzzy Hash: 592192F5600249AFEB10DF65DCC1DA737EDEB5A358B141059FA00AB391C770EC52DAA0
                                                          Function 00EB95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                          • API String ID: 176396367-2734436370
                                                          • Opcode ID: 121fa4d80c0daba74f05efdb0da19de302deb2ecf6ebad212e08ace52ccc8042
                                                          • Instruction ID: 8b09b0160e839de2a697fda7ded3bd0fd168d96ff0699ea7d215df9e1b14bf32
                                                          • Opcode Fuzzy Hash: 121fa4d80c0daba74f05efdb0da19de302deb2ecf6ebad212e08ace52ccc8042
                                                          • Instruction Fuzzy Hash: B8216D7214421566C331AB25EC06FFB73D8DFA1314F10A426FB89B7087EB919D55C2E5
                                                          Function 00EE37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EE3840
                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EE3850
                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EE3876
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: 7bfcb1d694c25f86829f8c4fdfa33ddd8c62a24641e19fb7fb42b70df2271886
                                                          • Instruction ID: fb8ef1eb3dcb026428a4d4295dd7ebc553ce852fea0f8b6c2c76be332350fb8a
                                                          • Opcode Fuzzy Hash: 7bfcb1d694c25f86829f8c4fdfa33ddd8c62a24641e19fb7fb42b70df2271886
                                                          • Instruction Fuzzy Hash: 4021B07261025CBBEF218F66DC85EAB376AEF89754F109125F904AB190C671DC5287A0
                                                          Function 00EC49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EC4A08
                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EC4A5C
                                                          • SetErrorMode.KERNEL32(00000000,?,?,00EECC08), ref: 00EC4AD0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume
                                                          • String ID: %lu
                                                          • API String ID: 2507767853-685833217
                                                          • Opcode ID: 8d3631ca0f3583ad6973a31f62e74d9339da31cc78dbed7fedef553d0d9a2c9a
                                                          • Instruction ID: bfb55c283b73bf598da7a278a2d348b60a1fe2a8b6c2b868e87e823cb3508a5e
                                                          • Opcode Fuzzy Hash: 8d3631ca0f3583ad6973a31f62e74d9339da31cc78dbed7fedef553d0d9a2c9a
                                                          • Instruction Fuzzy Hash: F0317371A00209AFDB10DF54C985EAAB7F8EF09308F145499F905EF252D771ED46CB61
                                                          Function 00EE41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EE424F
                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EE4264
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EE4271
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: c141365384bedee7518200ef27d58fd7f1f0d74a289bd4148239c18e458cea77
                                                          • Instruction ID: d87c6e83df773db72d935db12df88af3eea2eaf6d545002f5dfd19e66268dc76
                                                          • Opcode Fuzzy Hash: c141365384bedee7518200ef27d58fd7f1f0d74a289bd4148239c18e458cea77
                                                          • Instruction Fuzzy Hash: 7411A37124028CBEEF205E6ACC46FAB3BACEF99B68F111524FA55F60E0D671D8519B10
                                                          Function 00EB2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E56B57: _wcslen.LIBCMT ref: 00E56B6A
                                                            • Part of subcall function 00EB2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EB2DC5
                                                            • Part of subcall function 00EB2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB2DD6
                                                            • Part of subcall function 00EB2DA7: GetCurrentThreadId.KERNEL32 ref: 00EB2DDD
                                                            • Part of subcall function 00EB2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EB2DE4
                                                          • GetFocus.USER32 ref: 00EB2F78
                                                            • Part of subcall function 00EB2DEE: GetParent.USER32(00000000), ref: 00EB2DF9
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00EB2FC3
                                                          • EnumChildWindows.USER32(?,00EB303B), ref: 00EB2FEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                          • String ID: %s%d
                                                          • API String ID: 1272988791-1110647743
                                                          • Opcode ID: f63db5a0762a980d938d088c7cec1af56346db232ea8c33f3fb7868a1d1443b4
                                                          • Instruction ID: 916938f612fbdb788290d9b6c120cf07acbd78721375ff192fa3993aea12af52
                                                          • Opcode Fuzzy Hash: f63db5a0762a980d938d088c7cec1af56346db232ea8c33f3fb7868a1d1443b4
                                                          • Instruction Fuzzy Hash: 5411B4716002096BCF547F709CC6EEF77AAAF94304F146079FE09BB252DE70994A9B60
                                                          Function 00EE5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EE58C1
                                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EE58EE
                                                          • DrawMenuBar.USER32(?), ref: 00EE58FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Menu$InfoItem$Draw
                                                          • String ID: 0
                                                          • API String ID: 3227129158-4108050209
                                                          • Opcode ID: 2fb4d5ce9432f247c876388c4abaf426dec863ebf224e7569d512910aae3da44
                                                          • Instruction ID: 3178a24b4b0d53fbc67f103661ce1c570cda07fe60c8db5aafa640a5fb90798b
                                                          • Opcode Fuzzy Hash: 2fb4d5ce9432f247c876388c4abaf426dec863ebf224e7569d512910aae3da44
                                                          • Instruction Fuzzy Hash: 4901613250029CEFDB219F12EC44BEEBBB4FB45368F108099F959EA151DB318A94DF21
                                                          Function 00EAD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EAD3BF
                                                          • FreeLibrary.KERNEL32 ref: 00EAD3E5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeLibraryProc
                                                          • String ID: GetSystemWow64DirectoryW$X64
                                                          • API String ID: 3013587201-2590602151
                                                          • Opcode ID: 624e3adfc99a066ef763e58d0712d46bc1dc6ebdfa4c3722e46e4da06384dab9
                                                          • Instruction ID: cec93e40fd90fd48ac9d3111ac1e3f67ce3f320d31ae3c836dd863368527ae99
                                                          • Opcode Fuzzy Hash: 624e3adfc99a066ef763e58d0712d46bc1dc6ebdfa4c3722e46e4da06384dab9
                                                          • Instruction Fuzzy Hash: E6F0552180E6658BDB3152124C54AE93330BF2A741BA87568F403FD829D720EC4CC2A2
                                                          Function 00EB007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f81e49473fa7279b0876ed7d82cd924ba1ce6f17a426374b8229662c79f8e02d
                                                          • Instruction ID: be05dd231944659cb164a96d4142d376621407388da4cfdbc2e66b9f68926b65
                                                          • Opcode Fuzzy Hash: f81e49473fa7279b0876ed7d82cd924ba1ce6f17a426374b8229662c79f8e02d
                                                          • Instruction Fuzzy Hash: 8AC13C75A0021AEFDB14CFA8C898AAFB7B5FF48714F209598E505EB251D731ED41CB90
                                                          Function 00ED342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInitInitializeUninitialize
                                                          • String ID:
                                                          • API String ID: 1998397398-0
                                                          • Opcode ID: e37bfa33fc00077b0f379e855a28e671af82d0ce50f3d66db5b4c79cccadc3f4
                                                          • Instruction ID: 268b05575df6bd5e252db6c62108b62cf0223d5a94e2b36a644cb278ebc56b8b
                                                          • Opcode Fuzzy Hash: e37bfa33fc00077b0f379e855a28e671af82d0ce50f3d66db5b4c79cccadc3f4
                                                          • Instruction Fuzzy Hash: 2BA15B752043009FC700DF28D485A6AB7E5FF88715F14985AF99AAB362DB30EE06CB52
                                                          Function 00EB0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EEFC08,?), ref: 00EB05F0
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EEFC08,?), ref: 00EB0608
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00EECC40,000000FF,?,00000000,00000800,00000000,?,00EEFC08,?), ref: 00EB062D
                                                          • _memcmp.LIBVCRUNTIME ref: 00EB064E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID:
                                                          • API String ID: 314563124-0
                                                          • Opcode ID: b21b5f92d64b74bdd049e1cea289cdb790f49bacaa31d6bf7f92e0a36becf165
                                                          • Instruction ID: 197220e7269fae810bebee9d041ea5c2877d7f39940b36751246689ddd78ac3c
                                                          • Opcode Fuzzy Hash: b21b5f92d64b74bdd049e1cea289cdb790f49bacaa31d6bf7f92e0a36becf165
                                                          • Instruction Fuzzy Hash: 2181E771A00209EFCB14DF98C984EEFB7B9FF89315B205558E516BB250DB71AE06CB60
                                                          Function 00E91391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 8de75914d09fc1f2d1429c4c07167d56244172c74215762173b49a407b91e04d
                                                          • Instruction ID: 6e2f7185dee9ef09a32ba5bdf6d4927c01844f9b8c1376c2f1bd59d2fce3007a
                                                          • Opcode Fuzzy Hash: 8de75914d09fc1f2d1429c4c07167d56244172c74215762173b49a407b91e04d
                                                          • Instruction Fuzzy Hash: B0415B31A00102ABDF257BF98C856BE3AE5EF49370F2562A5F43DF6292E63488415762
                                                          Function 00EE6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00EE62E2
                                                          • ScreenToClient.USER32(?,?), ref: 00EE6315
                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00EE6382
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientMoveRectScreen
                                                          • String ID:
                                                          • API String ID: 3880355969-0
                                                          • Opcode ID: c7fba6ae777247d158496d9d5c8614a21af7233134bdca8bae40f64ef68ababf
                                                          • Instruction ID: d764d946940245f05a0c32f53e24c4f54e7a66e5e4b2a59cf6d141f4d5bb6f26
                                                          • Opcode Fuzzy Hash: c7fba6ae777247d158496d9d5c8614a21af7233134bdca8bae40f64ef68ababf
                                                          • Instruction Fuzzy Hash: A5514E74900249EFDF10DF65D8809AE7BB6FFA53A4F109159F915AB2A0D730ED81CB50
                                                          Function 00ED1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00ED1AFD
                                                          • WSAGetLastError.WSOCK32 ref: 00ED1B0B
                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00ED1B8A
                                                          • WSAGetLastError.WSOCK32 ref: 00ED1B94
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$socket
                                                          • String ID:
                                                          • API String ID: 1881357543-0
                                                          • Opcode ID: 7bf4894a71cf9fcef9f62886780ee3015491b4a9cfe9354c46d308923e252b43
                                                          • Instruction ID: 8d38e85ec948bddf2b656c23e9873ccd7f90d46c4820f732a8ddeb1a8d67d26d
                                                          • Opcode Fuzzy Hash: 7bf4894a71cf9fcef9f62886780ee3015491b4a9cfe9354c46d308923e252b43
                                                          • Instruction Fuzzy Hash: B541B234640200AFE720AF24D886F2677E5EB44718F54A489F95AAF3D2D772ED46CB90
                                                          Function 00E8B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2887aa8bf235b1d7ebaa888b11ff5d7d4c62b0e1ccf1a7c5799f5079a3064d2d
                                                          • Instruction ID: ef00a89b055de63c7d69885a1c5b85a39d4c6f48a5bc18c2ae49a5f890a7eac7
                                                          • Opcode Fuzzy Hash: 2887aa8bf235b1d7ebaa888b11ff5d7d4c62b0e1ccf1a7c5799f5079a3064d2d
                                                          • Instruction Fuzzy Hash: D5411B75A00704BFD724AF38CC42BAA7BE9EB84710F10556EF55EFB292E77199018790
                                                          Function 00EC56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EC5783
                                                          • GetLastError.KERNEL32(?,00000000), ref: 00EC57A9
                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EC57CE
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EC57FA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3321077145-0
                                                          • Opcode ID: c6f20399ccab760f5a9526f42b091b9e7fed3f9928f8afdcd58a47f8a4773a3f
                                                          • Instruction ID: 8553822593750655d474620f6b3b99ccbe2b4518ffde8a26948d634db4360b8a
                                                          • Opcode Fuzzy Hash: c6f20399ccab760f5a9526f42b091b9e7fed3f9928f8afdcd58a47f8a4773a3f
                                                          • Instruction Fuzzy Hash: 2A413C36600610DFCB10DF15C544A5EBBE2AF89321B199888FC8A7B362DB31FD45CB91
                                                          Function 00E8D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E782D9,?,00E782D9,?,00000001,?,?,00000001,00E782D9,00E782D9), ref: 00E8D910
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E8D999
                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E8D9AB
                                                          • __freea.LIBCMT ref: 00E8D9B4
                                                            • Part of subcall function 00E83820: RtlAllocateHeap.NTDLL(00000000,?,00F21444,?,00E6FDF5,?,?,00E5A976,00000010,00F21440,00E513FC,?,00E513C6,?,00E51129), ref: 00E83852
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                          • String ID:
                                                          • API String ID: 2652629310-0
                                                          • Opcode ID: 68987fd6639f4bf0bc2c9bf93ddf1ff3f0b69a0fed52615756a7dc2c88fbc814
                                                          • Instruction ID: 8c6e935542dc4f13232b7ced1d8c224fd5eee76fc54f10e7538fc39ba8c3bde1
                                                          • Opcode Fuzzy Hash: 68987fd6639f4bf0bc2c9bf93ddf1ff3f0b69a0fed52615756a7dc2c88fbc814
                                                          • Instruction Fuzzy Hash: 1831D272A0021AABDF24EF65DC41EAE7BA5EB80714F154168FC0CE7190E775CD55CB90
                                                          Function 00EE52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00EE5352
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE5375
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EE5382
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EE53A8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                          • String ID:
                                                          • API String ID: 3340791633-0
                                                          • Opcode ID: 43ff573124af6d63aae6cee9f22de19368daa3f2ad6f9a94190678027ef20f08
                                                          • Instruction ID: 1bd530e0b950c34c910360fd91199751b64e53d6b567a0a086d2e53387c9ecce
                                                          • Opcode Fuzzy Hash: 43ff573124af6d63aae6cee9f22de19368daa3f2ad6f9a94190678027ef20f08
                                                          • Instruction Fuzzy Hash: 74312836A55A8CEFEB309F16CC45FE93761AB0539CF686001FA10B62E5C3B09D40DB41
                                                          Function 00EBAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00EBABF1
                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00EBAC0D
                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00EBAC74
                                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00EBACC6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: d33d096469abf384f028e1527641d386b2bbe845154a7318eaf9138a032adc68
                                                          • Instruction ID: d58a73dbebbe667df48b034af15acda05aa9c7fbeaac7d870375ee3b95c678b0
                                                          • Opcode Fuzzy Hash: d33d096469abf384f028e1527641d386b2bbe845154a7318eaf9138a032adc68
                                                          • Instruction Fuzzy Hash: BC311630A00258AFEF35CB6588457FBBFA5AB89314F1C622AE481761D1D37489858BA2
                                                          Function 00EE7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ClientToScreen.USER32(?,?), ref: 00EE769A
                                                          • GetWindowRect.USER32(?,?), ref: 00EE7710
                                                          • PtInRect.USER32(?,?,00EE8B89), ref: 00EE7720
                                                          • MessageBeep.USER32(00000000), ref: 00EE778C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: 783b81850b9876d8208e86674230c405f6d8b0b0fa42acbcb26f582c3b53a4bd
                                                          • Instruction ID: 7c6c8afa6ea578e730bac9a15304a05ee46246b6d61bc3c2d6235a5723c96f1f
                                                          • Opcode Fuzzy Hash: 783b81850b9876d8208e86674230c405f6d8b0b0fa42acbcb26f582c3b53a4bd
                                                          • Instruction Fuzzy Hash: 5741BF3460929DDFDB11CF5AD894EA977F4FF49309F1550AAE894AB261C330E982CF90
                                                          Function 00EE16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 00EE16EB
                                                            • Part of subcall function 00EB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB3A57
                                                            • Part of subcall function 00EB3A3D: GetCurrentThreadId.KERNEL32 ref: 00EB3A5E
                                                            • Part of subcall function 00EB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EB25B3), ref: 00EB3A65
                                                          • GetCaretPos.USER32(?), ref: 00EE16FF
                                                          • ClientToScreen.USER32(00000000,?), ref: 00EE174C
                                                          • GetForegroundWindow.USER32 ref: 00EE1752
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: 8b80644724697b2b2905447279ec53124244fb628a4f417b74e4fb5b6f2095dc
                                                          • Instruction ID: 6dedcc575d86b846911533e28d9a436c6fca56ee5216767ffda03f665a38529e
                                                          • Opcode Fuzzy Hash: 8b80644724697b2b2905447279ec53124244fb628a4f417b74e4fb5b6f2095dc
                                                          • Instruction Fuzzy Hash: 53314371D00249AFC700DFA6C881CEEBBF9EF49304B5454AAE415F7251D7319E45CBA0
                                                          Function 00EBDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E57620: _wcslen.LIBCMT ref: 00E57625
                                                          • _wcslen.LIBCMT ref: 00EBDFCB
                                                          • _wcslen.LIBCMT ref: 00EBDFE2
                                                          • _wcslen.LIBCMT ref: 00EBE00D
                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00EBE018
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$ExtentPoint32Text
                                                          • String ID:
                                                          • API String ID: 3763101759-0
                                                          • Opcode ID: 6585051dc96b87731daf2eb0bbafb9bb0a49163e67c0b3a186cb2ec15f9fdd33
                                                          • Instruction ID: d1991a8fc36f8934c7907a4da3ce30fbfcf2f397ed2a01d027769339fe4acc60
                                                          • Opcode Fuzzy Hash: 6585051dc96b87731daf2eb0bbafb9bb0a49163e67c0b3a186cb2ec15f9fdd33
                                                          • Instruction Fuzzy Hash: 5721A171900215AFCB20EFA8D982BBEB7F8EF85750F145065E905BB385D7709E418BA1
                                                          Function 00EBD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00EBD501
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00EBD50F
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00EBD52F
                                                          • CloseHandle.KERNEL32(00000000), ref: 00EBD5DC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: ade67ea693c0b9af2ce4cd72711213e997da8d600ca6f239311232e0620f179c
                                                          • Instruction ID: d9d395f3d2ad4e8138c074e43f5ff7e29cbd8eee3c01990123adbfe50508b170
                                                          • Opcode Fuzzy Hash: ade67ea693c0b9af2ce4cd72711213e997da8d600ca6f239311232e0620f179c
                                                          • Instruction Fuzzy Hash: 3E31AD310083409FD314EF54DC81AAFBBF8EF99344F14092DF981A71A2EB719949CBA2
                                                          Function 00EE8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • GetCursorPos.USER32(?), ref: 00EE9001
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EA7711,?,?,?,?,?), ref: 00EE9016
                                                          • GetCursorPos.USER32(?), ref: 00EE905E
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EA7711,?,?,?), ref: 00EE9094
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                          • String ID:
                                                          • API String ID: 2864067406-0
                                                          • Opcode ID: 0049ad3cb0b86b6dea5bbb5e0eb4632885cf4d1c807770c4a49181e2e8e5e507
                                                          • Instruction ID: 22a0d7b29a72af17e7dc65b2befc12cda732b4517ab59a6038c106d090662999
                                                          • Opcode Fuzzy Hash: 0049ad3cb0b86b6dea5bbb5e0eb4632885cf4d1c807770c4a49181e2e8e5e507
                                                          • Instruction Fuzzy Hash: C621E13120005CEFDB258F96C898EEA3BF9FB89350F500055F5056B162C3759A91EB60
                                                          Function 00EBD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,00EECB68), ref: 00EBD2FB
                                                          • GetLastError.KERNEL32 ref: 00EBD30A
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EBD319
                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EECB68), ref: 00EBD376
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                          • String ID:
                                                          • API String ID: 2267087916-0
                                                          • Opcode ID: 382db26bf3038096680d50e1a786f13ffa44682fa327b623078e660d32545371
                                                          • Instruction ID: f68c980c7347443444afc77098ec2f964aa92e6fb25954349f917fd9e5d24100
                                                          • Opcode Fuzzy Hash: 382db26bf3038096680d50e1a786f13ffa44682fa327b623078e660d32545371
                                                          • Instruction Fuzzy Hash: 3C2180705083019F8300DF28D8814AF77E4AF59368F205A1DF899E72A2E731994ACB93
                                                          Function 00EB1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EB102A
                                                            • Part of subcall function 00EB1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EB1036
                                                            • Part of subcall function 00EB1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB1045
                                                            • Part of subcall function 00EB1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB104C
                                                            • Part of subcall function 00EB1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB1062
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EB15BE
                                                          • _memcmp.LIBVCRUNTIME ref: 00EB15E1
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB1617
                                                          • HeapFree.KERNEL32(00000000), ref: 00EB161E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                          • String ID:
                                                          • API String ID: 1592001646-0
                                                          • Opcode ID: 997efc02ea3fb7c75a5d470e26c1c698ef53c30c0439bf1ecbcdf82d7864e4be
                                                          • Instruction ID: 5c68887404993b586136521051eb14d19b5002862a82e468b1e85f4f6d1e45cf
                                                          • Opcode Fuzzy Hash: 997efc02ea3fb7c75a5d470e26c1c698ef53c30c0439bf1ecbcdf82d7864e4be
                                                          • Instruction Fuzzy Hash: 50217A31E01208EFDB10DFA4C955BEFB7B8EF44368F5854A9E441BB241E730AA45CBA0
                                                          Function 00EE2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00EE280A
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EE2824
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EE2832
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EE2840
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: bf4dc8ded15ca1b1ff3ae464e86e20ab20246663643d9e1f6668e33feaf366a5
                                                          • Instruction ID: 11685ecbe20c8e5eb4c8e29f4d6b9592fd6880b204cfdf63c03fab3577852c35
                                                          • Opcode Fuzzy Hash: bf4dc8ded15ca1b1ff3ae464e86e20ab20246663643d9e1f6668e33feaf366a5
                                                          • Instruction Fuzzy Hash: 64213631204198AFD7149F25CC41FAA7799EF45324F24911CF916AB2D2C771FC46C790
                                                          Function 00EB78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00EB8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EB790A,?,000000FF,?,00EB8754,00000000,?,0000001C,?,?), ref: 00EB8D8C
                                                            • Part of subcall function 00EB8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EB790A,?,000000FF,?,00EB8754,00000000,?,0000001C,?,?,00000000), ref: 00EB8DB2
                                                            • Part of subcall function 00EB8D7D: lstrcmpiW.KERNEL32(00000000,?,00EB790A,?,000000FF,?,00EB8754,00000000,?,0000001C,?,?), ref: 00EB8DE3
                                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EB8754,00000000,?,0000001C,?,?,00000000), ref: 00EB7923
                                                          • lstrcpyW.KERNEL32(00000000,?,?,00EB8754,00000000,?,0000001C,?,?,00000000), ref: 00EB7949
                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00EB8754,00000000,?,0000001C,?,?,00000000), ref: 00EB7984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpilstrcpylstrlen
                                                          • String ID: cdecl
                                                          • API String ID: 4031866154-3896280584
                                                          • Opcode ID: ecb82d040a2e2840d1faea49fda2b1348d17859c8a0e0ebe9a289c0667d858f0
                                                          • Instruction ID: 7e696483b2bd784ed06412656f35c675ca52141b59ed4d58626352f91fcc5ce5
                                                          • Opcode Fuzzy Hash: ecb82d040a2e2840d1faea49fda2b1348d17859c8a0e0ebe9a289c0667d858f0
                                                          • Instruction Fuzzy Hash: 8E11E43A201241AFCB159F35D844DBB77E9FFC5394B10502AF982DB264EB319811C791
                                                          Function 00EE7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EE7D0B
                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00EE7D2A
                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EE7D42
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00ECB7AD,00000000), ref: 00EE7D6B
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID:
                                                          • API String ID: 847901565-0
                                                          • Opcode ID: 22ece74fb08861eebe964508356234e15e6598bfcfd355c2ec8b2b9edd1571f2
                                                          • Instruction ID: 15459fb45a482a7e411f9980e20aea0cd0780d156503b1923d0fd877c87b881d
                                                          • Opcode Fuzzy Hash: 22ece74fb08861eebe964508356234e15e6598bfcfd355c2ec8b2b9edd1571f2
                                                          • Instruction Fuzzy Hash: 2611AE3120469DAFCB108F2ADC44AB63BA4BF46364B255324F875EB2E0E7308951DB40
                                                          Function 00EE5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 00EE56BB
                                                          • _wcslen.LIBCMT ref: 00EE56CD
                                                          • _wcslen.LIBCMT ref: 00EE56D8
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EE5816
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen
                                                          • String ID:
                                                          • API String ID: 455545452-0
                                                          • Opcode ID: eafa5a039ef404038d30e7dd2979b7e00fddbb7cd1faaa5db0bd8c515e66631e
                                                          • Instruction ID: e0f4214f6f25e66723fb0de6fc2e73afd56a660428326223b1ace0f4864a98bf
                                                          • Opcode Fuzzy Hash: eafa5a039ef404038d30e7dd2979b7e00fddbb7cd1faaa5db0bd8c515e66631e
                                                          • Instruction Fuzzy Hash: D211B47260069E96DB209F628C85AEE77ACEF5076CF105026F916F6081E770C984CB65
                                                          Function 00E81D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 516dca3729505a702c69426c505d843df2a628ee5821acc4633aa0343832ab96
                                                          • Instruction ID: 8b502da1922f8055e7cd7bfa44ba62c303a4a6eb3bfb4051a5bc54c224aed9fd
                                                          • Opcode Fuzzy Hash: 516dca3729505a702c69426c505d843df2a628ee5821acc4633aa0343832ab96
                                                          • Instruction Fuzzy Hash: A701ADB220A61A7EF62136786CC0F67666CDF813B9B312769F62DB11D2DB608C025360
                                                          Function 00EB1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00EB1A47
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EB1A59
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EB1A6F
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EB1A8A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 1898de04b4b2d3d43a0e68bd44280583f26cfb96daa5071657c2b80b838cbca0
                                                          • Instruction ID: 7112b2ddbc07ba2d7873e5fec90c8bd60eb46692b9efd24bb83dc8dba6cc9c5f
                                                          • Opcode Fuzzy Hash: 1898de04b4b2d3d43a0e68bd44280583f26cfb96daa5071657c2b80b838cbca0
                                                          • Instruction Fuzzy Hash: A311273A901219FFEB109BA5C985FEEBB78EB08760F200091EA00B7290D6716E50DB94
                                                          Function 00EBE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 00EBE1FD
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00EBE230
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EBE246
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EBE24D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 2880819207-0
                                                          • Opcode ID: c6f4ff1269990d62d0feb7b9e742dc4a93b5780da16f792eb1b0c78d2593551b
                                                          • Instruction ID: 18db313e1d9ae98ea1c241aa39818032b34320b50a64f4c885f93936798d494d
                                                          • Opcode Fuzzy Hash: c6f4ff1269990d62d0feb7b9e742dc4a93b5780da16f792eb1b0c78d2593551b
                                                          • Instruction Fuzzy Hash: 16110472904258BFC711DBA8AC49ADF7FADAB45324F104259F825F33A1D6B0DD0587A0
                                                          Function 00E7D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,?,00E7CFF9,00000000,00000004,00000000), ref: 00E7D218
                                                          • GetLastError.KERNEL32 ref: 00E7D224
                                                          • __dosmaperr.LIBCMT ref: 00E7D22B
                                                          • ResumeThread.KERNEL32(00000000), ref: 00E7D249
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                          • String ID:
                                                          • API String ID: 173952441-0
                                                          • Opcode ID: 1a27103841b113bcc7c77b7d95b9f1498b21d7f0308093b40e6c7ae8efe099a5
                                                          • Instruction ID: 526c23e933da0c5d31eac5ddddb508904191ba23133bfc4f6c8e36065f061ba9
                                                          • Opcode Fuzzy Hash: 1a27103841b113bcc7c77b7d95b9f1498b21d7f0308093b40e6c7ae8efe099a5
                                                          • Instruction Fuzzy Hash: 53012636409248BBC7115BA6DC05BAA3ABDDF81730F209219F92CB60E1CB708902C6A0
                                                          Function 00EE9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E69BB2
                                                          • GetClientRect.USER32(?,?), ref: 00EE9F31
                                                          • GetCursorPos.USER32(?), ref: 00EE9F3B
                                                          • ScreenToClient.USER32(?,?), ref: 00EE9F46
                                                          • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00EE9F7A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                          • String ID:
                                                          • API String ID: 4127811313-0
                                                          • Opcode ID: a1a5f530aa2b028ac902785d69828c0f4b7507f8e075035cebeacc1d867d10a1
                                                          • Instruction ID: 47c943dc255e6b20cab9dd3631710ee7caff0028faedc614dd7010297ef7b1f0
                                                          • Opcode Fuzzy Hash: a1a5f530aa2b028ac902785d69828c0f4b7507f8e075035cebeacc1d867d10a1
                                                          • Instruction Fuzzy Hash: 7E113672A0029EABDB10DF6AE8899FE77B9FB05311F100451F911F7142D330BA86CBA1
                                                          Function 00E5600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E5604C
                                                          • GetStockObject.GDI32(00000011), ref: 00E56060
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E5606A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CreateMessageObjectSendStockWindow
                                                          • String ID:
                                                          • API String ID: 3970641297-0
                                                          • Opcode ID: e88440e266bb16a52c20d83aad743cea8d02654d2e07f87ae16136aa4dac3184
                                                          • Instruction ID: 81e0c663181f17be9b2307ef6f7b4465000f49c68315ad831d701731158de29e
                                                          • Opcode Fuzzy Hash: e88440e266bb16a52c20d83aad743cea8d02654d2e07f87ae16136aa4dac3184
                                                          • Instruction Fuzzy Hash: D6118E72101549BFEF224FA4CC44EEA7B69EF08365F501202FE0466150C732DC659B90
                                                          Function 00E73B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00E73B56
                                                            • Part of subcall function 00E73AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E73AD2
                                                            • Part of subcall function 00E73AA3: ___AdjustPointer.LIBCMT ref: 00E73AED
                                                          • _UnwindNestedFrames.LIBCMT ref: 00E73B6B
                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E73B7C
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00E73BA4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                          • String ID:
                                                          • API String ID: 737400349-0
                                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                          • Instruction ID: 790102d0a8ff33583713ca2807e3faf9715b69697431f6dde7d0db505476014b
                                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                          • Instruction Fuzzy Hash: D9014C72100148BBDF125EA5CC46EEB7FADEF48758F049018FE5C66121C732E961EBA0
                                                          Function 00E83073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E513C6,00000000,00000000,?,00E8301A,00E513C6,00000000,00000000,00000000,?,00E8328B,00000006,FlsSetValue), ref: 00E830A5
                                                          • GetLastError.KERNEL32(?,00E8301A,00E513C6,00000000,00000000,00000000,?,00E8328B,00000006,FlsSetValue,00EF2290,FlsSetValue,00000000,00000364,?,00E82E46), ref: 00E830B1
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E8301A,00E513C6,00000000,00000000,00000000,?,00E8328B,00000006,FlsSetValue,00EF2290,FlsSetValue,00000000), ref: 00E830BF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: 2547591a2cbe6d2980840f2fe984637f595f246c8e8a5c2fa3abc4e82fe6f727
                                                          • Instruction ID: 757dc8b37b3ce192f5c06fdfe0a855dbc7de9086713145922dbacb8a543aacea
                                                          • Opcode Fuzzy Hash: 2547591a2cbe6d2980840f2fe984637f595f246c8e8a5c2fa3abc4e82fe6f727
                                                          • Instruction Fuzzy Hash: E901F732302726AFCB315BBA9C84A677B98AF45F65B200720F90DF7150C721D906C7E0
                                                          Function 00EB7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EB747F
                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EB7497
                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EB74AC
                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EB74CA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                          • String ID:
                                                          • API String ID: 1352324309-0
                                                          • Opcode ID: 78fcaeb0454be4511ba77d18982c3328296227413f40412cdd49f54d9dc392b0
                                                          • Instruction ID: 238257903ca640b847845d7fb1d5e32a9f9b249940dfe3ec86504f08cc748a88
                                                          • Opcode Fuzzy Hash: 78fcaeb0454be4511ba77d18982c3328296227413f40412cdd49f54d9dc392b0
                                                          • Instruction Fuzzy Hash: D4118EB12053149FE7208F14EC48BD37BFCEB40B05F108569B6B6EA591D770E908DB50
                                                          Function 00EBB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EBACD3,?,00008000), ref: 00EBB0C4
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EBACD3,?,00008000), ref: 00EBB0E9
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EBACD3,?,00008000), ref: 00EBB0F3
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EBACD3,?,00008000), ref: 00EBB126
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: 572a04dbac6c0915965f1ef361731f586bf6554de93705503d924ee7327aa6da
                                                          • Instruction ID: 34e7fb11b2e7cb1edc85505a56ebf18f0dedf639e894ee7f49ee4b984215d835
                                                          • Opcode Fuzzy Hash: 572a04dbac6c0915965f1ef361731f586bf6554de93705503d924ee7327aa6da
                                                          • Instruction Fuzzy Hash: B6116D31C0252CEBCF04AFE9E9A86FFBB78FF0A711F115085E941B6281CBB096518B51
                                                          Function 00EE7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00EE7E33
                                                          • ScreenToClient.USER32(?,?), ref: 00EE7E4B
                                                          • ScreenToClient.USER32(?,?), ref: 00EE7E6F
                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EE7E8A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                          • String ID:
                                                          • API String ID: 357397906-0
                                                          • Opcode ID: eb1e6bad4ff60736bb1b6001b46324d45407d67d6fa209cfbd037d20bd618932
                                                          • Instruction ID: 02fb6bb2dd30b5c406f7f1c70871fd41692cd20a745d26ca22817f44a094f78d
                                                          • Opcode Fuzzy Hash: eb1e6bad4ff60736bb1b6001b46324d45407d67d6fa209cfbd037d20bd618932
                                                          • Instruction Fuzzy Hash: 891143B9D0024EAFDB41CFA9D8849EEBBF5FB08310F505066E915E2210D735AA55CF50
                                                          Function 00EB2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EB2DC5
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB2DD6
                                                          • GetCurrentThreadId.KERNEL32 ref: 00EB2DDD
                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EB2DE4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: 278e1bc16984cd8e8875c5b024d9bf7af0f46b09e13a205c01743647affaa8e6
                                                          • Instruction ID: 24309e65b97c00e54805847247d3574d5078e4abec5b52a3768fc0f2e1f8d120
                                                          • Opcode Fuzzy Hash: 278e1bc16984cd8e8875c5b024d9bf7af0f46b09e13a205c01743647affaa8e6
                                                          • Instruction Fuzzy Hash: E1E09272101228BFDB201B73AC4DFEB3E6CEF42FA1F101019F206F50809AA0C886C6B0
                                                          Function 00EE8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E69639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E69693
                                                            • Part of subcall function 00E69639: SelectObject.GDI32(?,00000000), ref: 00E696A2
                                                            • Part of subcall function 00E69639: BeginPath.GDI32(?), ref: 00E696B9
                                                            • Part of subcall function 00E69639: SelectObject.GDI32(?,00000000), ref: 00E696E2
                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00EE8887
                                                          • LineTo.GDI32(?,?,?), ref: 00EE8894
                                                          • EndPath.GDI32(?), ref: 00EE88A4
                                                          • StrokePath.GDI32(?), ref: 00EE88B2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 1539411459-0
                                                          • Opcode ID: a0b8859af05cf3f7d352778e96456fb734afdd27f6aede4f56520d8f1cc787c4
                                                          • Instruction ID: 832fb070374650e4dec13133a63bea49106cd5ce2783c80bae332c7433ce9c4c
                                                          • Opcode Fuzzy Hash: a0b8859af05cf3f7d352778e96456fb734afdd27f6aede4f56520d8f1cc787c4
                                                          • Instruction Fuzzy Hash: 3FF03A3604129CBADB125F95AC09FCE3A69AF16314F548000FE11790E2C7755556DBE9
                                                          Function 00E698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008), ref: 00E698CC
                                                          • SetTextColor.GDI32(?,?), ref: 00E698D6
                                                          • SetBkMode.GDI32(?,00000001), ref: 00E698E9
                                                          • GetStockObject.GDI32(00000005), ref: 00E698F1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObjectStockText
                                                          • String ID:
                                                          • API String ID: 4037423528-0
                                                          • Opcode ID: 8b59bc44528b65c42776a406f53bacc20b1f731c54043f673ae6c550989290f3
                                                          • Instruction ID: 515b8ff01c33a5707db284fb3fde6bb82cabe17b66669f7689678b9ce9a917f4
                                                          • Opcode Fuzzy Hash: 8b59bc44528b65c42776a406f53bacc20b1f731c54043f673ae6c550989290f3
                                                          • Instruction Fuzzy Hash: 27E0E531240284AEDB204B35FC08BD83F20EB06336F148219F6F96C0E1C37146459B10
                                                          Function 00EB162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 00EB1634
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00EB11D9), ref: 00EB163B
                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EB11D9), ref: 00EB1648
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00EB11D9), ref: 00EB164F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CurrentOpenProcessThreadToken
                                                          • String ID:
                                                          • API String ID: 3974789173-0
                                                          • Opcode ID: b71bb96dd3f2f91fc2f3f24e5984f785a603ca3f2bdef1d3c76213f041ac4002
                                                          • Instruction ID: e95e79670d8fb84011fe0936ce29918ccbd5b53114efe9dcc305573d912ce2a6
                                                          • Opcode Fuzzy Hash: b71bb96dd3f2f91fc2f3f24e5984f785a603ca3f2bdef1d3c76213f041ac4002
                                                          • Instruction Fuzzy Hash: 9EE08631601215DFD7201FA6AD4DB873B7CAF447A5F244848F645ED090E734444AC750
                                                          Function 00EAD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00EAD858
                                                          • GetDC.USER32(00000000), ref: 00EAD862
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EAD882
                                                          • ReleaseDC.USER32(?), ref: 00EAD8A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 41906b8159c434bb94360f50524b8962ea7d2a45baf36132cae4ef451c6b74b8
                                                          • Instruction ID: 97bb2d64c1bebefa031fa9baaaa185612f68cd427318d2e7c5c62184af3fbc75
                                                          • Opcode Fuzzy Hash: 41906b8159c434bb94360f50524b8962ea7d2a45baf36132cae4ef451c6b74b8
                                                          • Instruction Fuzzy Hash: 09E0E5B4904209DFCF419FA59C4866EBBB2AB48711B249409F816BB250C738590AAF50
                                                          Function 00EAD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00EAD86C
                                                          • GetDC.USER32(00000000), ref: 00EAD876
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EAD882
                                                          • ReleaseDC.USER32(?), ref: 00EAD8A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 60937676674122d5b89c7734149063a9111b834884951c56667ba5f6d6d535b7
                                                          • Instruction ID: 8435ae7acec0f24a1a40befdcbe66d947dbe482873776d33b6d2794b6896eb9f
                                                          • Opcode Fuzzy Hash: 60937676674122d5b89c7734149063a9111b834884951c56667ba5f6d6d535b7
                                                          • Instruction Fuzzy Hash: 3BE01A74D00209DFCF409FA5DC4C66EBBF1BB48711B249408F816FB250C738590A9F50
                                                          Function 00EC4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E57620: _wcslen.LIBCMT ref: 00E57625
                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EC4ED4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Connection_wcslen
                                                          • String ID: *$LPT
                                                          • API String ID: 1725874428-3443410124
                                                          • Opcode ID: b51de3a2115710a70c0bedc3d5eaa2483703ee3cd65298d039c015bb0a29cabc
                                                          • Instruction ID: fa9489b19dd78d088fb22234dce9a0db02120747f2662d240d11690943da38ea
                                                          • Opcode Fuzzy Hash: b51de3a2115710a70c0bedc3d5eaa2483703ee3cd65298d039c015bb0a29cabc
                                                          • Instruction Fuzzy Hash: 5E9170B5A002449FCB14DF54C594FA9BBF1AF44308F15A09DE846AF392D732ED86CB50
                                                          Function 00E7E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 00E7E30D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: b3a79523b3d2352e48b0feb68ab6c0ee77d8ebaedfdd70187cf028f765820b85
                                                          • Instruction ID: c278252dc75d5ddeecaaa9c6d14746d3b1f133d4b7d35b4e95dd71215443ea32
                                                          • Opcode Fuzzy Hash: b3a79523b3d2352e48b0feb68ab6c0ee77d8ebaedfdd70187cf028f765820b85
                                                          • Instruction Fuzzy Hash: 14512661A1C202A6CB167714C9013BA3BA4AB85744F34E9DCE0DDB33E9EB35CC95DB46
                                                          Function 00E6E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: 43bd41e4bf43000f7fe59cd3fb5df8ce751904450e925b3222c25fe15e8a8cdf
                                                          • Instruction ID: 97079d928e026b35f9c3b89dbf1fe0da6fcf46b9e8f7da17756a2e72158f20e9
                                                          • Opcode Fuzzy Hash: 43bd41e4bf43000f7fe59cd3fb5df8ce751904450e925b3222c25fe15e8a8cdf
                                                          • Instruction Fuzzy Hash: D9513079500246DFDB18DF68D0916FA7BA9EF1A314F246016F891BF3D0DA34AD46CBA0
                                                          Function 00E6F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 00E6F2A2
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E6F2BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: 59fba33eb1bfd00931ef354bd45ea72e72de607c4d99eaa3e13a502274fd0d42
                                                          • Instruction ID: 8c0c69358e53458e6e76d865fa41e3c90a38fe659f306e3e799476c9ac9212dc
                                                          • Opcode Fuzzy Hash: 59fba33eb1bfd00931ef354bd45ea72e72de607c4d99eaa3e13a502274fd0d42
                                                          • Instruction Fuzzy Hash: 645155715087489BD320AF10EC96BAFBBF8FB84301F91884CF5D9511A5EB308529CB66
                                                          Function 00ED5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00ED57E0
                                                          • _wcslen.LIBCMT ref: 00ED57EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper_wcslen
                                                          • String ID: CALLARGARRAY
                                                          • API String ID: 157775604-1150593374
                                                          • Opcode ID: 3d5f19412c58cf848e769b50634fcafd1006a0633ab927d477180b124e77dfd7
                                                          • Instruction ID: 8fb27b8c7f3858314b6aa7e47795dfafa9557518563f8c7b501344613783cdab
                                                          • Opcode Fuzzy Hash: 3d5f19412c58cf848e769b50634fcafd1006a0633ab927d477180b124e77dfd7
                                                          • Instruction Fuzzy Hash: 33419236A002099FCB18DFA9C8828EEBBF5FF59354F10606AE515B7391D7349D82DB50
                                                          Function 00ECD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00ECD130
                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00ECD13A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_wcslen
                                                          • String ID: |
                                                          • API String ID: 596671847-2343686810
                                                          • Opcode ID: 5fbdaf216e4d713e55f2f0c8aa210c72fe98f74a88f385e99e41ecf8bd99b249
                                                          • Instruction ID: 7dff804e02b4347ce579abbf9db783999b6281c858ae961f55e81f26ffff1683
                                                          • Opcode Fuzzy Hash: 5fbdaf216e4d713e55f2f0c8aa210c72fe98f74a88f385e99e41ecf8bd99b249
                                                          • Instruction Fuzzy Hash: 3D31F871D01119ABCF15EFA4CD85AEE7BB9FF04304F141029F915B6166DA32AA46CB50
                                                          Function 00EE356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00EE3621
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EE365C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$DestroyMove
                                                          • String ID: static
                                                          • API String ID: 2139405536-2160076837
                                                          • Opcode ID: 69c09e518288db05dc655ffd922d98f22914a6ed982c7150a082cdc4e63a4724
                                                          • Instruction ID: 951210b01bc675de0d014e8b5a7943eca35d80d206f29bd562f5804d0df51019
                                                          • Opcode Fuzzy Hash: 69c09e518288db05dc655ffd922d98f22914a6ed982c7150a082cdc4e63a4724
                                                          • Instruction Fuzzy Hash: B831A471100248AEDB20DF35DC85EFB73A9FF48764F10A619F865E7280DA31AD85D760
                                                          Function 00EE4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00EE461F
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EE4634
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: 359bcc39b43d4dba94d417f5c381b7e7f61fab9df31c2078f4408959afeff257
                                                          • Instruction ID: 6a1b66a6e3c77f689ad4add6e09cbb186894e72c0cb9c690da9ed6c248315e9d
                                                          • Opcode Fuzzy Hash: 359bcc39b43d4dba94d417f5c381b7e7f61fab9df31c2078f4408959afeff257
                                                          • Instruction Fuzzy Hash: CD3138B4A0034E9FDB14CFAAC980BDABBB5FF09304F14506AE904AB381D770A945CF90
                                                          Function 00EE31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EE327C
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EE3287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: a43f5aae304b165714d979161e89c820435de1294ab72ecffc68a8f791c4bcc4
                                                          • Instruction ID: 4f6ccec54a34c77f2291e37dee0ef6d78eea02fd6387ff8ed6ecee177880fa0c
                                                          • Opcode Fuzzy Hash: a43f5aae304b165714d979161e89c820435de1294ab72ecffc68a8f791c4bcc4
                                                          • Instruction Fuzzy Hash: BF11E27130024C7FEF219EA5DC88EFB37ABEB98368F101524FA58A72A0D631DD519760
                                                          Function 00EE3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E5600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E5604C
                                                            • Part of subcall function 00E5600E: GetStockObject.GDI32(00000011), ref: 00E56060
                                                            • Part of subcall function 00E5600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E5606A
                                                          • GetWindowRect.USER32(00000000,?), ref: 00EE377A
                                                          • GetSysColor.USER32(00000012), ref: 00EE3794
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                          • String ID: static
                                                          • API String ID: 1983116058-2160076837
                                                          • Opcode ID: bb25171ae38a1a82a0735ca82772f9aa4f95b34591f5fe94b6f3b2d4b8514703
                                                          • Instruction ID: 95b459e5286dfd097ad720ce2ccfce34785bd9b69f367272e7d4302600c1c290
                                                          • Opcode Fuzzy Hash: bb25171ae38a1a82a0735ca82772f9aa4f95b34591f5fe94b6f3b2d4b8514703
                                                          • Instruction Fuzzy Hash: 471144B261024AAFDF10DFB9CC4AAEA7BB9EB08314F005925F955E3250E734E8159B60
                                                          Function 00ECCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00ECCD7D
                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00ECCDA6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Internet$OpenOption
                                                          • String ID: <local>
                                                          • API String ID: 942729171-4266983199
                                                          • Opcode ID: a8a82df0c67c4a0f7b078636c6a7272c2e14db35bdf96a84709de2615f37be8f
                                                          • Instruction ID: ab5abb26ca7a596b5e8a3a75dbdbfa647dfa93a3ba3576dfd85fb04b24b273f2
                                                          • Opcode Fuzzy Hash: a8a82df0c67c4a0f7b078636c6a7272c2e14db35bdf96a84709de2615f37be8f
                                                          • Instruction Fuzzy Hash: E1110A7150163579D7344B668C44FE3BE6CEF127A4F20522EF10EA3180D3719882D6F0
                                                          Function 00EE3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00EE34AB
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EE34BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit
                                                          • API String ID: 2978978980-2167791130
                                                          • Opcode ID: 07043f0d3112f2effe77d389b55629416f11e86190e15258a0b5005913d519eb
                                                          • Instruction ID: 322b9949f6cb718d8650aaa32f1c036e35b1199b241e6cd0d54716bf12771dc0
                                                          • Opcode Fuzzy Hash: 07043f0d3112f2effe77d389b55629416f11e86190e15258a0b5005913d519eb
                                                          • Instruction Fuzzy Hash: FE11BF7110028CAFEB224E76DC88AEB37AAEB05378F606724F970A71D0C731DD559B50
                                                          Function 00EB6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                          • CharUpperBuffW.USER32(?,?,?), ref: 00EB6CB6
                                                          • _wcslen.LIBCMT ref: 00EB6CC2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: STOP
                                                          • API String ID: 1256254125-2411985666
                                                          • Opcode ID: 93324e399f1218d16cd666cdb98d65a0e3c943db6d3851014cc35d875cd6585b
                                                          • Instruction ID: 83c194d0b3d4e4b7ffb0cc12ed12ae7a08ba3f5f0ff617f8ea157279f4252abe
                                                          • Opcode Fuzzy Hash: 93324e399f1218d16cd666cdb98d65a0e3c943db6d3851014cc35d875cd6585b
                                                          • Instruction Fuzzy Hash: 710104326005278BCB20AFBDDC919FFB7F5EB607147101934E852B6191EB39D844CA50
                                                          Function 00EB1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EB1D4C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: b0ed00d00f2d3824121b05704207d2f6a695c99fbc681f8301769d316e123074
                                                          • Instruction ID: dc2ed336e78f6158a333ab646d96e02d40ee5318fe17ca2023728e693824034b
                                                          • Opcode Fuzzy Hash: b0ed00d00f2d3824121b05704207d2f6a695c99fbc681f8301769d316e123074
                                                          • Instruction Fuzzy Hash: D5012835600218EB8B08EBE0CC61CFFB7A8EB42361B501D19FC22772C2EA30590C8661
                                                          Function 00EB1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00EB1C46
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: 58abca342f684d6059070ffe73bf69a1fb4af5b9cdd59645f29ad942c4ba240a
                                                          • Instruction ID: 6b97345c93895e63e51e18053d8a346b6da031660117766ab045294f753c646a
                                                          • Opcode Fuzzy Hash: 58abca342f684d6059070ffe73bf69a1fb4af5b9cdd59645f29ad942c4ba240a
                                                          • Instruction Fuzzy Hash: 1F01AC75641104A6CB08E7A0C963AFFBBE89B51750F541459B80677182EA249E0C9AB2
                                                          Function 00EB1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00EB1CC8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: 8aba1034242381b0673320e6b48bf81e8894e7c3f37d0730b8a4ecfcef2cae52
                                                          • Instruction ID: 59907cb44b8b70e07555acbb3081295f6f0e9755b223663816affacd7bb2006f
                                                          • Opcode Fuzzy Hash: 8aba1034242381b0673320e6b48bf81e8894e7c3f37d0730b8a4ecfcef2cae52
                                                          • Instruction Fuzzy Hash: 3201FE75740118A7CB08E7A4CA12EFFFBEC9B11750F642415BC0173282EA219F0CDAB2
                                                          Function 00EB1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E59CB3: _wcslen.LIBCMT ref: 00E59CBD
                                                            • Part of subcall function 00EB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EB3CCA
                                                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EB1DD3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: 2238343c428128f337840ef252fdbf830c56c6f6d5d996b1ef138a27d7583f8f
                                                          • Instruction ID: 4a05186eccf996082c65796f986a87d37485d20f585fbd0371427ce3ae41d25c
                                                          • Opcode Fuzzy Hash: 2238343c428128f337840ef252fdbf830c56c6f6d5d996b1ef138a27d7583f8f
                                                          • Instruction Fuzzy Hash: F6F0A975A41214A6D704E7A4CC52AFFB7B8AB41751F541D19B822772C2DA60590C86A1
                                                          Function 00ED747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: 3, 3, 16, 1
                                                          • API String ID: 176396367-3042988571
                                                          • Opcode ID: d5e71e82cfb8c3eade15dd361e370df4eb23106264672a9b75c646f2ef3c6e99
                                                          • Instruction ID: 5543e69905cb94383b994ae247cfc123aa439d0815959573cda64b13b094182a
                                                          • Opcode Fuzzy Hash: d5e71e82cfb8c3eade15dd361e370df4eb23106264672a9b75c646f2ef3c6e99
                                                          • Instruction Fuzzy Hash: CCE02B4220432111933223799CC197F5AC9CFC5750710382BFAD9E23AAFB94CD9393A1
                                                          Function 00EB0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EB0B23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: AutoIt$Error allocating memory.
                                                          • API String ID: 2030045667-4017498283
                                                          • Opcode ID: daca59623d20185236bb3508925e51816df8d10879dbee20ede7ad364c1295da
                                                          • Instruction ID: 24104bad037243f820324f57024c3ebe9067d1d1d7c3f6f64c017f6a4e77c5ec
                                                          • Opcode Fuzzy Hash: daca59623d20185236bb3508925e51816df8d10879dbee20ede7ad364c1295da
                                                          • Instruction Fuzzy Hash: 0AE0D83128434C2BD21436557C43FC97BC48F05F65F201427FB58B95C38BE2689156AA
                                                          Function 00E70D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E6F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E70D71,?,?,?,00E5100A), ref: 00E6F7CE
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,00E5100A), ref: 00E70D75
                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E5100A), ref: 00E70D84
                                                          Strings
                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E70D7F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                          • API String ID: 55579361-631824599
                                                          • Opcode ID: 99a2fd33404fa742d8f5b6ca14439018f90c6bf4552f531678a8e1ffc0b926b3
                                                          • Instruction ID: 05177933f065d48b15edfb7fb5743696c0beb626845984b08ebeded932828786
                                                          • Opcode Fuzzy Hash: 99a2fd33404fa742d8f5b6ca14439018f90c6bf4552f531678a8e1ffc0b926b3
                                                          • Instruction Fuzzy Hash: 65E06D702007818FD3309FB9E4453427BE0BB14745F00992DF58AEA661DBB0F4498B91
                                                          Function 00EC3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EC302F
                                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EC3044
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: Temp$FileNamePath
                                                          • String ID: aut
                                                          • API String ID: 3285503233-3010740371
                                                          • Opcode ID: d6a80210f05a1dd97b50b75430c39225b323adbf7d9ed89fa8a890ca929da100
                                                          • Instruction ID: c68917fd73b530a4024679b8d7803b6e375b84811529c93161977a8f07f72d23
                                                          • Opcode Fuzzy Hash: d6a80210f05a1dd97b50b75430c39225b323adbf7d9ed89fa8a890ca929da100
                                                          • Instruction Fuzzy Hash: C2D05B71500318ABDA2097959C4DFC73A6CDB04751F0001517755E60A1DAB4D585CAD0
                                                          Function 00EAD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: %.3d$X64
                                                          • API String ID: 481472006-1077770165
                                                          • Opcode ID: 93abb4f8df03f217923cd55952a8d84e9533af34fedc26744684638a0ca7d0c1
                                                          • Instruction ID: 4ce97168cbd7018348228ca25f3ab96d02ea24f98c4b32e4c4b6e1ce2893e023
                                                          • Opcode Fuzzy Hash: 93abb4f8df03f217923cd55952a8d84e9533af34fedc26744684638a0ca7d0c1
                                                          • Instruction Fuzzy Hash: 0AD012A1C4C109E9CB9096D0DC45AF9B3BCFB1D341F609452F907B5460E624E548E772
                                                          Function 00EE2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EE236C
                                                          • PostMessageW.USER32(00000000), ref: 00EE2373
                                                            • Part of subcall function 00EBE97B: Sleep.KERNEL32 ref: 00EBE9F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: 792ba888c9683aed2aaa3c097d11a4961f7dd34e1da3639745929b3a303705d6
                                                          • Instruction ID: 159abd7b85a5ed5084997f1e537ab3e34ea39c249cb6c7811566a24d2035fd43
                                                          • Opcode Fuzzy Hash: 792ba888c9683aed2aaa3c097d11a4961f7dd34e1da3639745929b3a303705d6
                                                          • Instruction Fuzzy Hash: 2BD0C936381354BEE664A7719C4FFC766549B44B10F1049167745FA1D0C9A0B84A8A55
                                                          Function 00EE2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EE232C
                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EE233F
                                                            • Part of subcall function 00EBE97B: Sleep.KERNEL32 ref: 00EBE9F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: 46e954048655854ff0674e53c23d144d6c8972f72c1853251f40ec18f794d07b
                                                          • Instruction ID: 7be1bd7cebd4e7820993a1d0067e71ea3bd5b006f3f98285927cb7dcff109fcc
                                                          • Opcode Fuzzy Hash: 46e954048655854ff0674e53c23d144d6c8972f72c1853251f40ec18f794d07b
                                                          • Instruction Fuzzy Hash: 8BD0A936380340BAE264A3719C4FFC76A049B00B00F1009027305BA1D0C9A0A80A8A00
                                                          Function 00E8BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E8BE93
                                                          • GetLastError.KERNEL32 ref: 00E8BEA1
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E8BEFC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2069170887.0000000000E51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000000.00000002.2069154352.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069226189.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069277507.0000000000F1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2069293660.0000000000F24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e50000_file.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: 7ed3c7cca7aaea760a6fe55667990b684752dbb43b2910013e1d70834769ba8d
                                                          • Instruction ID: a88097b3841ab697008ee742f27b2067e55016b1c7b0243e37081c2afdc2d3a1
                                                          • Opcode Fuzzy Hash: 7ed3c7cca7aaea760a6fe55667990b684752dbb43b2910013e1d70834769ba8d
                                                          • Instruction Fuzzy Hash: 7F41E93570424AAFCF21AFA5CC44ABA7BB5EF42714F246169FA5DBB1A1DB308D01CB50